Drop invalid FW forward
I keep getting these kinds of alerts, how can I fix it?
You do not have the required permissions to view the files attached to this post.
Last edited by frank333 on Fri Feb 09, 2024 2:06 pm, edited 1 time in total.
Re: Drop invalid FW forward
disable logging for this firewall rule
Re: Drop invalid FW forward
ok , but if they are reported it means that something is not working in the firewall . what could it be.Re: Drop invalid FW forward
it's reported because logging for drop rule is enabled
if you disable logging this rule will continue drop but will stop spamming your log
if you disable logging this rule will continue drop but will stop spamming your log
Re: Drop invalid FW forward
OK, but the forward traffic is the traffic generated between the two interfaces, so I think something in my internal network is trying to open a port on the router to communicate directly to the outside and is being blocked.
Re: Drop invalid FW forward
Interestingly...there is no drop filter rule on the forward chain that logs...
Port 80 and 443 seems to be standard web browsing?
Port 80 and 443 seems to be standard web browsing?
Re: Drop invalid FW forward
@erlinden ,
The rule set seems complete to me, what should I enter?
The rule set seems complete to me, what should I enter?
You do not have the required permissions to view the files attached to this post.
Re: Drop invalid FW forward
nm.....
Last edited by Mesquite on Fri Feb 09, 2024 3:48 pm, edited 1 time in total.
Re: Drop invalid FW forward
My advice is to get rid of all your RAW chain rules for starters.
Also get rid of the mangle ttl rule, its just too weird at least while troubleshooting your issue.
Modify the input chain and forward chain like so: This is the same as your current rules in that we allow LAN to WAN traffic and then drop everything else.
In between we use a rule to capture any issues. Enable it view the logs, and then disable it as one doesnt need to log all the crap all the tieme
add action=accept chain=input in-interface-list=LAN comment="Allow LAN to router services"
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited log=yes log-prefix="bad apples" {optional --> useful but only if interested in tracking LAN issues }
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not required }
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited log=yes log-prefix="bad apples" { optional -->useful for tracking LAN issues}
add action=drop chain=forward comment="drop all else"
Also get rid of the mangle ttl rule, its just too weird at least while troubleshooting your issue.
Modify the input chain and forward chain like so: This is the same as your current rules in that we allow LAN to WAN traffic and then drop everything else.
In between we use a rule to capture any issues. Enable it view the logs, and then disable it as one doesnt need to log all the crap all the tieme
add action=accept chain=input in-interface-list=LAN comment="Allow LAN to router services"
add action=reject chain=input in-interface-list=LAN reject-with=icmp-admin-prohibited log=yes log-prefix="bad apples" {optional --> useful but only if interested in tracking LAN issues }
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not required }
add action=reject chain=forward in-interface-list=LAN reject-with=icmp-admin-prohibited log=yes log-prefix="bad apples" { optional -->useful for tracking LAN issues}
add action=drop chain=forward comment="drop all else"
Re: Drop invalid FW forward
ok tonight I will try , and then I will report back if I still have problems .
Re: Drop invalid FW forward
A comment on logged items: when either client or server decides to finish TCP connection, it'll send a packet with flags ACK and FIN to the other party. The other party will respond with FIN ACK as well. And any of parties might re-send FIN ACK (to make sure that the other party "gets it").
Now, stateful firewall tracks these flags and as soon as it deems connection finished (seeing FIN from both ends) it marks the connection as closed (in its connection tracking table) and removes it from the table shortly after. As soon as connection is purged from connection tracking table, any packet belonging to the dying connection is deemed invalid ... and dropped if appropriate rule exists. And that's what you're seeing. Hence the recommendation to not log those drops as they are benign.
Now, stateful firewall tracks these flags and as soon as it deems connection finished (seeing FIN from both ends) it marks the connection as closed (in its connection tracking table) and removes it from the table shortly after. As soon as connection is purged from connection tracking table, any packet belonging to the dying connection is deemed invalid ... and dropped if appropriate rule exists. And that's what you're seeing. Hence the recommendation to not log those drops as they are benign.
Re: Drop invalid FW forward
It is a known problem in Linux connection tracking that has been there for years but is never fixed.
As recommended, do not log invalid packets. Or make another rule above that which drops invalid packets with TCP protocol and TCP flag FIN or RST, does not log these, and then keep this rule with logging.
As recommended, do not log invalid packets. Or make another rule above that which drops invalid packets with TCP protocol and TCP flag FIN or RST, does not log these, and then keep this rule with logging.
Re: Drop invalid FW forward
ok now everything is clearer to me. thanks @mkx and @pe1chi
Re: Drop invalid FW forward
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop forward TCP fin rst" \
connection-state=invalid protocol=tcp tcp-flags=fin,rst
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix="drop invalid FW"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
You do not have the required permissions to view the files attached to this post.
Re: Drop invalid FW forward
Just drag the line up or down using the mouse...
Re: Drop invalid FW forward
to me ,it no longer works using firefox ,chromium and ROS 7.12.1