Filter rules - Router and Customer Protection

amnesicus · March 25, 2012, 1:55am

	/ip firewall filter
	add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"
	add chain=input connection-state=established action=accept comment="Allow Established connections"
	add chain=input protocol=icmp action=accept comment="Allow ICMP"
	add chain=input src-address=192.168.0.0/24 action=accept in-interface=!WAN
	add chain=input action=drop comment="Drop everything else"

	/ip firewall filter
	add chain=forward protocol=tcp connection-state=invalid action=drop comment="drop invalid connections"  
	add chain=forward connection-state=established action=accept comment="allow already established connections"  
	add chain=forward connection-state=related action=accept comment="allow related connections"

Into the rules related to connection state, shouldn’t it to be specified protocol=tcp in all of them, or doesn’t matter?

Salud!

tjc · March 25, 2012, 2:37am

Doesn’t matter, IIRC TCP is the default. From: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

protocol (name or protocol ID; Default: tcp)

Heck, in compact export mode it even leaves off the action on filter rules if it’s accept (which is also the default). That’s far more disconcerting to my eyes.

amnesicus · March 25, 2012, 3:08am

Ok, I understand. Thanks.

Salud!