Basic Firewall Question(s)

RouterOS Beginner Basics
1

Hi guys. Just a quick few questions.

  1. Does the firewall block everything by default?
  2. If a rule is not created, what happens when that traffic comes in and is not matched?
  3. Is there any reason to add the following two rules?
    add chain=forward connection-state=established comment=“allow established connections”
    add chain=forward connection-state=related comment=“allow related connections”

Thank you.

2

How did you create your firewall? Quickfig? Manually? Perhaps you should upload the output from /IP Firewall as it stands.

The “firewall” is created by the application of a certain set of basic packet filters, state-aware packet filters and connection tracking to the router. Many Mikrotik products ship without any of those present so what your particular firewall does depends on the settings you have created.

3

I have the following

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   chain=input action=drop protocol=tcp dst-port=22 

 2   ;;; default configuration
     chain=input action=accept connection-state=established 

 3   ;;; default configuration
     chain=input action=accept connection-state=related 

 4   chain=input action=accept protocol=tcp dst-port=80 

 5   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 6   chain=forward action=accept connection-state=new src-address=192.168.2.0/24 

 7   chain=input action=accept protocol=igmp 

 8   ;;; allow established connections
     chain=forward action=accept connection-state=established 

 9   ;;; allow related connections
     chain=forward action=accept connection-state=related 

10   ;;; drop invalid connections
     chain=forward action=drop connection-state=invalid

nat

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gatew

 1   chain=dstnat action=dst-nat to-addresses=192.168.2.60 to-ports=25 protocol=tcp

 2   chain=dstnat action=dst-nat to-addresses=192.168.2.60 protocol=tcp in-interfac

 3   chain=dstnat action=dst-nat to-addresses=192.168.2.60 protocol=tcp in-interfac

 4   chain=dstnat action=dst-nat to-addresses=192.168.2.30 protocol=tcp in-interfac

What I’m really asking though is what happens to traffic that doesn’t match these rules? Is it dropped by default?

4

No - traffic which doesn’t match the rules continues on down and is implicitly accepted which is why you must have a drop all (remaining) at the end of the relevant chain.