Dear all,
i have been using mikrotik, but i still confuse about firewall configuration.
like in
/ip firewall
, there are:
- MANGLE
- FILTER
- NAT
when will i use the mangle, filter and nat?
what the predecessor for:
for example if i create FILTER chain , should i do configure the MANGLE first?
if no? what is the mandatory for FILTER depend from MANGLE?
thanks for your help
Try to read the packet flow diagram.
Picture says more than 1000 words.
thanks patrikg, i will learn about it. but can you help me as a simple flow, because when i see the picture in packet flow, there are so many steps. let me know for a simple flow
thanks
Greg has good video’s.
i tried
/ip firewall filter
i have 2 scenarios :
Scenario 1
chain=forward action=reject reject-with=icmp-admin-prohibited protocol=icmp
the Result is:
Scenario 2
i disabled the scenario 1 and then enable this one
chain=output action=reject reject-with=icmp-admin-prohibited protocol=icmp
i ping to:
so, why when i used the scenario 2, google still return reply, i think google and my router will return unreacheable
thanks
Have you seen this
Filter is to filter traffic (your firewall functions)
NAT is for Network Address Translation
Mangle is to mark packets/connections/etc for internal use with the router, and change some other possible fields. (QoS, policy based routing, etc.)
Input is for traffic specifically destined for the router itself. I.E. a service that the router will serve (ssh interface, web interface, etc.).
Forward is for traffic that is going through the router. I.E. traffic leaving a client going to google.com and google.com’s response to the client.
Output is for traffic generated by the router itself. A response to a ping or BGP updates.
Thanks bro..
Ok… i see…
any body,please posting here about simple firewall
thanks
The most easiest powerful firewall is to turn off the device.
As all of us, we need to learn the hard way.
yeah.. i want to know the concept first then try and try to implement
The most basic firewall that will cover around %95 of situations is this:
/ip firewall filter
add action=accept chain=forward comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=forward comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=forward disabled=no in-interface="<LAN Interface>" out-interface="<WAN Interface>" comment="Allow internet connections from LAN"
add action=drop chain=forward disabled=no comment="Drop everything else"
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input disabled=no in-interface="<LAN Interface>" comment="Allow connections to router from LAN"
add action=drop chain=input disabled=no comment="Drop Everything else"
Basically this will allow outbound connections from the LAN, and connections to the router from the LAN interface. It will drop everything else. If you want to allow more forwards or input options, put in the needed accept rules above the “drop everything else” rules on the appropriate chain.
Many Thanks to you…
can you explain to me, above your script in line 3
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=no
when will i use the connection-state=INVALID ?
i checked in
/ip firewall connection pr
but i cant find state = INVALID , only established, syn-sent , etc on my router.
can you explain it for the case? for what the condition can be occur the invalid state?
thanks