Hi all
can you explain downside if disabling this standard rule
i did not get
imagine i disable this rule
and there is no NAT rules (in NAT tab)
now hackers’ traffic can reach the internal network?
Regards
i mean in order to reach internal network we need to. create. a NAT. rule correct?
without it traffic cannot reach the desired service.
that’s why I’m curious the purpose of this rule
“defconf: drop all from WAN not DSTNATed”
Sure, if the counter not increase, this rule does nothing. But you never know. I would leave as is, just in case.
It means NOTHING, without context of all other rules and the config.
As Anav said, hard to tell without context, but remember in RouterOS, any packet that gets to the end of the whatever chain it is going through (usually Input or Forward) is accepted. So you really need a drop everything rule at the end of each chain. The rule you pointed out sort of accomplished that, but I prefer to accept what I want and end with a drop everything rule in each chain.
ok imagine that we accept a packet in forward rule from WAN
but there is no NAT rule for this packet
how the router will behave
If there is no corresponding dstnat rule, the traffic will not get forwarded to the LAN side.
Thanks
that’s why I’m wondering the purpose of this rule
“block all that is no dsnated”
for me it sound like “overfirewalling” because we already know if there is no rule in NAT to for ward traffic will not be forwarded
so there is no reason to block it it is already has no destination
hope it makes sense
When some packet arrives at WAN port, it'll either
- be targeting router's WAN IP address and will be handled by DST NAT (because a matching DST NAT rule exists). This most often means that packet is routed further (e.g. via LAN port) and is, thus, handled by chain=forward of firewall
- be again targeting router's WAN IP address and won't be handled by DST NAT because there's no matching DST NAT rule. It'll be then handled by chain=input of firewall
- or will target a different IP address. Router will, by definition try to route that packet according to routing information and will thus be handled by chain=forward of firewall but may skip DST NAT if NAT rule is matched against dst-address (and not in-interface as per ROS default). If destination IP address belongs in one of LAN subnets, then it'll pass ... unless there's a firewall rule blocking it. And that's the intent of the rule you mentioned.
Whether that rule is "overfirewalling" or not depends on the rest of rules, but in completely default config that rule is vital in defence against "twisted" attacks.
As stated by MKX, the default rule ensures no shenanigans are allowed by corrupted traffic.
Further the rule blocks ALL other WAN traffic as well, not just only allow dst-nat traffic.
This is a good thing!!
A lot of devices now operate on zero trust - ie they block it unless you tell them to allow it.
Some devices create a block all rule at the bottom of your rules list by default so this protects you from bad stuff on the web.
MikroTik is not a NGFW, it is a router so by default it will route, what if somehow a packet comes to your router from WAN with destination IP in your LAN? Without that rule, Router will route it.
It is extremely good practise to have a very wide catchall drop rule at the bottom of your rule set so that "mishaps" don't make you pay a heavy price.