filter

enea · January 30, 2007, 4:59pm

I have e problem with my filter in a new mikrotik. in mikrotik 2.8v I had a filter "chain=forward action=drop " that drop all the packet without the listed filter, in a new mikrotik 2.9v these rule’s doesn’t work.

janisk · January 31, 2007, 5:44am

so, if rule is added - it does not count any packets?

what rules are before that one?
if you set it as first rule, what happens then?

enea · January 31, 2007, 4:20pm

the problem is that the rule of drop-in any think else drop all the packet without consider the rule that i have he drop all packet.

changeip · January 31, 2007, 5:36pm

post your rules and we will find the error.

enea · January 31, 2007, 8:44pm

[enea@MikroTik] ip firewall filter> print forward
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Established connections
chain=forward src-address=0.0.0.0 dst-address=0.0.0.0 protocol=tcp
tcp-flags=!syn connection-state=established action=accept

1 ;;; DNS
chain=forward dst-address=172.16.32.0/28 protocol=udp src-port=53
action=accept

2 ;;; Send SMTP nga Mail
chain=forward src-address=172.16.32.5 protocol=tcp dst-port=25
action=accept

3 ;;; SMTP only MailServer>
chain=forward src-address=172.16.32.0/22 protocol=tcp dst-port=25
action=drop

4 ;;; Serv
chain=forward src-address=172.16.32.0/29 action=accept

5 ;;; 1
chain=forward src-address=172.16.32.11 src-mac-address=00:0A:E4:F5:5D:58
action=accept

6 ;;; 2
chain=forward src-address=172.16.32.12 action=accept

7 ;;; 3
chain=forward src-address=172.16.32.18 protocol=tcp
tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr action=accept

8 ;;; SSL
chain=forward src-address=172.16.32.0/23 protocol=tcp dst-port=443
tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr action=accept

9 ;;; 4

10 ;;; HTTP
chain=forward src-address=172.16.33.0/24 protocol=tcp dst-port=80
action=accept

11 ;;; SMTP connection to Mail server from outside
chain=forward dst-address=172.16.32.5 protocol=tcp dst-port=25
action=accept

12 ;;; FTP connection
chain=forward dst-address=172.16.33.3 protocol=tcp src-port=1023-65535
dst-port=20-21 action=accept

13 ;;; FTP
chain=forward src-address=172.16.32.0/23 protocol=tcp
src-port=1023-65535 dst-port=20-21
tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr action=accept

14 chain=forward dst-address=172.16.32.0/23 protocol=tcp src-port=20-21
dst-port=1023-65535 action=accept

15 ;;; MSN Messenger
chain=forward src-address=172.16.32.0/23 protocol=tcp dst-port=1863
tcp-flags=syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr action=accept

16 ;;; World Client from outside
chain=forward dst-address=172.16.32.5 protocol=tcp dst-port=80
action=accept

17 chain=forward src-address=172.16.33.3 protocol=tcp src-port=20-21
dst-port=1023-65535 action=accept

18 ;;; ICMP
chain=forward src-address=172.16.32.0/23 protocol=icmp icmp-options=8:0
action=accept

19 chain=forward dst-address=172.16.32.0/23 protocol=icmp icmp-options=0:0
action=accept

20 ;;; Drop all that arrive here
chain=forward action=drop

this is my filter forwoard

enea · February 2, 2007, 12:46am

is any body to help me for this case why my filter " chain=forward action=drop " doesn’t work in mikrotik 2.9v

cmit · February 2, 2007, 7:29am

And the counters for your rule #20 don’t increase and the traffic that should be dropped by that rule is actually getting through?

What version of RouterOS 2.9 is that?

Best regards,
Christian Meis

janisk · February 2, 2007, 8:23am

i have checked - at least in 2.9.39 that rules is working correctly