I wolud like to make MikroTik router reset every TCP connection that has initiated without its awareness (e.g. by injecting initial SYN packet via another router).
I wanted to create filter rules that will:
- Create resettcp chain that will answer with TCP reset to all TCP packets with flags RST=off and drop all TCP packets with flags RST=on (otherwise two routers configured this way may “play ping-pong” with RST packets for a long time)
- Jump to resettcp chain for any TCP packet considered invalid by connection tracking
- Jump to resettcp chain for any TCP packet considered initiating new connection by connection tracking, but not having flags SYN=on, FIN=off, RST=off, PSH=off, ACK=off, URG=off
/ip firewall filter
add action=reject chain=resettcp disabled=no protocol=tcp reject-with=tcp-reset tcp-flags=!rst
add action=drop chain=resettcp disabled=no
add action=jump chain=input connection-state=invalid disabled=no jump-target=resettcp
add action=jump chain=input connection-state=new disabled=no jump-target=resettcp protocol=tcp tcp-flags=!,syn,!fin,!rst,!psh,!ack,!urg
Are these filter rules correctly created?
What you think about this idea from networking point of view? Can there be situations when legitimate TCP connection initiation packets has more than only SYN flag set? Can you imagine any drawbacks for this method? I know that these rules will break triangle routing and also reset all connections on router restart. I also have heard that Windows machines do something similar (respond with reset to invalid TCP packets).