Do I need a firewall rule?

meiru · August 17, 2022, 2:44pm

I have a router with 4 ports. One is for the servers (via a switch) and one is the pppoe interface towards my ISP.

I have the “default-route auto” on the pppoe interface. And a route to my subnet on the eth1 interface.

This gives me those routes:

0.0.0.0 0.0.0.0 pppoe2
12.145.66.34 255.255.255.192 eth1
12.145.11.64 255.255.255.255 pppoe2

That’s fine and it’s working… now the question:

I’d like to use eth3 as a “service port” and I don’t want any routing to happen to or from this interface. I gave it the IP 192.168.68.1 and it seems to work fine. But I can ping 12.145.11.64 from the 192.168.68.x network (nothing else can be pinged, but this one address is possible). … what’s the recommendation here? Should I add a firewall rule to make sure that I will never have any routing from or to this eth3 port? Or is it just fine like that?? (it it routing by the way? or is what I see not real routing but just… don’t know… something that happens, because the router does have those 3 addresses and reacts on a query to 12.145.11.64 also on the 192.168.68.1 address/port?) … or, if that’s correct what it does… could I then delete the static route to my subnet on eth1 and it would still work? … is the routing “enabled by default”?

n.fort · August 17, 2022, 2:55pm

As I understand, IP 12.145.11.64 is assigned to your router on pppoe interface. Also, you want to completely isolate network on eth3.
By default, all traffic is accepted if you don’t explictely forbid it. So, to forbid forwarding from eth3:

## 1st: create firewall chain, with only default-action drop
set firewall name ETH3-FWD default-action drop

## Attach firewall to eth3-in. This will drop all frowarding from eth3
set interfaces eth eth3 firewall in name ETH3-FWD

## If you also want to drop traffic from eth3 towards the router itself:
set interfaces eth eth3 firewall local name ETH3-FWD

## Commit and save
commit
save

meiru · August 17, 2022, 3:17pm

thanks… that’s answering the question

but… I found an other possible solutions… could I also disable forwarding on this interface?

set interfaces ethernet eth3 ip disable-forwarding

16again · August 17, 2022, 5:39pm

As it is a management port, it shouldn’t take part in forwarding packets.
Instead of kernel options, I’d just go for ETH3_IN firewall ruleset , default blocking all traffic.

system · August 19, 2022, 5:39pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.