I see that the default firewall forwards untracked packets per:
add chain=forward action=accept connection-state=established,related,untracked comment=“defconf: accept established,related, untracked”
However, in looking further into the default firewall, I do not find any entries that would create untracked packets, so adding untracked to the forwarding chain seems superfluous.
I believe untracked is specific to the use of RAW filter and the notrack command. Thus correct, one should not normally need untracked. It does not harm, but why burn up cpu cycles for nothing.
all the other rules (ie. specify those to accept):
...
the last rule of the chain:
add chain=input action=drop comment="drop all the unwanted rest"
>
Repeat that same scheme also for the other chains (output and forward):
But: this then gives you a really strong firewall, so it allows only what you specify, and drops all the rest.
That is: be careful as you could lock yourself out of the device :slight_smile:
The default firewall has a few rules which make development of functionality very easy. Inclusion of “untracked” is such a cornerstone … if you decide to add a rule in raw “add chain=prerouting action=notrack ”, then the “problematic” firewall filter rule setting will actually allow packets to flow without any change in filter rule set. Similarly there’s default terminal filter rule “filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN” … Note connection-nat-state … and yet default config doesn’t have any DST-NAT rule set, but makes easy for users to simply configure port forwarding without adding corresponding filter rules.
I don’t know if “initially un-necessary” rule settings cause any noticeable processing slowdown … if it’s not, then it is not productive to “optimize” such filter settings. Specially so as most packets bypass filter rules if fasttrack is enabled.