Firewall filter processes next rules after "Accept"

laluciole · June 17, 2013, 8:15pm

Hi Folks !

I encounter an unexpected behaviour with the last 6.0 & 6.1 RouterOS, which is that rules processing continues even after a matching Accept rule.

My setup first consists on a jump filtered by a /24 src net. The target chain contains various accept rules such as ICMP protocol, dst port 80, etc., followed by a return. After another jump filtered by anoter src net, a reject rule.

If, for example, I issue ping packets from some src net host, I can see the chain’s ICMP rule’s counters incrementing, but the last blocking rule as well, the packets being rejected.

Could some nice person here help me to make the rules processing stopping after a matching accept ?

Kind regards,

La Luciole

jandafields · June 21, 2013, 1:10am

You need to setup a logging rule just above the deny rule, so you can see EXACTLY what is being denied.

You will probably find that the traffic going to the deny rule is different than what is being accepted.

Compare those logs to your accept rules.

Rudios · June 22, 2013, 9:18pm

I am not that into custom chains, but has the return rule something to do with you experiences.