After reading the post "[Share] ROS Prohibition PING Method", I feel that everyone does not have a good understanding of routerOS firewall and basic TCP/IP protocol. Here I will share my views so that you can discuss and learn with me.
One reason I like RouterOS is that the RouterOS firewall feature is very flexible. RouterOS Firewall is a packet filtering firewall that allows you to define a series of rules to filter out packets sent to, from, and forwarded through RouterOS. RouterOS Firewall defines three firewall (filtering) chains (i.e. input, forward, output) within which you can define your own rules. where input refers to the data sent to RouterOS itself (that is, the destination IP is an IP address in the routerOS interface); output means the data sent from RouterOS (that is, the packet source IP is an IP address in the routerOS interface); Forward means forwarding through routerOS (for example, if your internal computer accesses an external network, data needs to be forwarded through your routerOS).
For example, in the "[Sharing] ROS prohibition PING method" post, we generally need to add rules to the input chain because the packet is sent to routeros, and the destination IP of the packet is an interface IP address of routeros.
(Of course, if you insist on setting up a rule in the output to filter out ICMP information, you can also do ping, when the packet you pings reaches Routeos, RouteOS can receive the packet and respond, and when the routeros responds to your packet to be sent, it will check the rules of the output and filter out the packets that respond to you.) )
Each rule in each chain has a target IP, a source IP, and an incoming interface (in interface), which is very flexible to establish rules. For example, in the "[Share] ROS Prohibition PING Method", you can prevent external network pings from routeros, just select the interface you are connected to the external network in the in interface. If you disable internal ping, you can choose to connect to your internal network. If all pings are prohibited, then the interface chooses all. Of course, to prohibit ping, you need to choose icmp, and action should choose drop or reject.
It should also be noted that the ICMP protocol does not refer to ping, but ping is one of the ICMP protocols (the type of ICMP protocol is 8 and the code is 0, written as icmp-options=8:0 in routeros; And we respond to pings (ICMP type 0 code is 0), and many other things also belong to the ICMP protocol. For example, if you prohibit the internal network from pinging all external networks, you can establish a rule in the forward chain, the protocol is ICMP, the action is drop, and the other defaults, then your internal network pings no external addresses, and if you use the trancroute command to track the route, it will not be able to track the route. The rule is to pay attention to every detail.
Also, the three chains of input, output, and forward allow all data by default in routeros. That is, unless you explicitly prohibit it in the rules, it is allowed. You can modify the default policy by setting ip firewall input policy=drop, etc.
It is written very long-winded, so that beginners can understand it well. Welcome to the discussion!
|
Posted on 12/7/2015 5:50:26 PM
|
|
|
