Hi,
Is it possible to enable connection tracking only to input chain? I don’t like to be doing connection tracking to the forward chain.
Thanks,
TCC
Might not be the best way to do it, but you could try setting up a raw firewall rule to not track any connections headed to/from (prerouting/output) an address list containing router addresses. This doesn’t actually disable connection tracking for non-input traffic though. It just prevents it from happening.
/ip firewall raw
add action=notrack chain=prerouting dst-address-list=!router_addresses
add action=notrack chain=output src-address-list=!router_addresses
I’d say it is the best solution available, except that you cannot treat input and output chains separately - incoming responses to outgoing requests of the router itself are treated by chain input, so they would not be accepted by the accept established or related rule in input because the pass of the request through output would not create the tracked connection. So the notrack rule in output cannot be used.
Also, I’d replace dst-address-list=!router_addresses by dst-address-type=!local - it should take about the same CPU to provide the same effect but it’s “maintenance-free” when you change the own addresses of the router (and if some of these are assigned dynamically, the address-list has to be updated using scripts bound to the address assignment event).
thanks
it was solved by:
/ip firewall raw
add action=notrack chain=prerouting dst-address-type=!local