If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.
I have searched through the configuration and cannot find any reference stating what the default policy actions are anywhere. However, after testing, the following seems to apply:
Chains ‘input’, ‘output’, ‘forward’ → default action ‘accept’
Any other chain → default action ‘return’
I'd like to be able to change the default policy. On Linux you can change the default policy for each chain like:
Set Default Policy DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
When using the Mikrotiks like routers I usually want them as they are now - default accept, but when using them as firewalls it would make more sense to change the default policy to DROP. Sure I can accomplish the same thing with a drop rule at the end of each chain, it just minimized the risk of accidentally removing or moving that last rule if it would just have been an invisible default policy.
It also make admins "feel" more secure to have a device that by default drops everything instead of having to explicitly add a DROP rule to accomplish it.
The page I linked above says “You can change the chain policies by using the /ip firewall set command.”, but this appears to have been deprecated - I certainly can’t do that under 3v20.
I too would like to be able to set the default policy to ‘drop’ (if not on all the chains, definitely on ‘forward’), but some thought would have to go into ensuring that people don’t lock themselves out!
Sadly this doesn’t work when the chain has dynamically added rules - as the dynamic rules are added and removed, the ‘action=drop’ rule moves towards the top of the chain and the following rules are therefore ignored.
default action of default firewall chains (forward, input, output) is to accept the packet.
dynamic rules should be inserted into the top position (0) of the list, therefore, last rule will always be last one, so adding /ip firewall filter chain=<input|forward|output> action drop will change the behaviour.
if you jump to custom chain, then default is return to parent chain
if by chance, it is not so (dynamic rule is not added in the top position where they should) you can, for example in hotspot, point to what chain add these rules and then just jump to your custom rules from one of default chains as result, you wount have any dynamic firewall rules at all.
Yes, sure, but we was asking about how to change the DEFAULT policy. Of course this can emulated by adding a drop rule, but according to the documentation it was possible to change the default policy of each chain in the 2.5 series of RouterOS. Why has this feature been removed?
Like stated previously there are occasions when it makes more sense to have the default policy set to DROP instead of using a normal filter rules to drop the traffic.
It is not possible to change default policy of the firewall rules. Default policy is accept. The only way to change it, add drop rule to the end of the chain.
As far as I know, there is not, you may easily add action=drop at the end of the firewall rules, that “will” change default firewall chain action from accept to drop.
In my case with 6.43.2 dynamic rules from user profile (incoming and outcoming filter) router is placing the rules on the bottom, after the drop rule, so just by sight i think those dynamic rules were never going to hit because the preceding drop is global.
Anyways in my case im testing the usage of “Address List” instead, so i can place static rules matching the address list before the drop rule (even if addresslist initially doesnt exist because there is no one logged in)
And it seems to work quite nice, hotspot adds and removes the client ip to the address list as soon as the user is active in hotspot or has gone