Firewall question.

maigonis · October 2, 2021, 8:18am

In default config we have:

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1

But if I have this rule before:

add action=drop chain=forward comment="defconf: drop invalid forward" connection-state=invalid

it doesn’t do the same thing? Far as I understand, packet whit no destination will be considered as invalid and this rule will drop it. I have never seen any packet count on that rule.

rextended · October 2, 2021, 8:25am

Is impossible than a packet do not have any destination.

A new connection is not equal as invalid connection.
What does not yet exist, cannot be invalid

The packets are "invalid" when connection-tracking is broken because, for example, ISP assign another IP on WAN interface, etc.

If you do not notice the differences, better you do not touch anything.

Ohhh... too late...

You already have compromised it.
The original rule is:

add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

anav · October 2, 2021, 12:30pm

IF ether1 is the wan, and its not pppoe and not a vlan, then no harm no fowl.

More importantly this is a default rule designed to allow the basic user to.
a.. have access to the internet
b. block wan to lan traffic (except for any port forwarding - which would be added in NAT rules).

Much better is not have one rule trying to handle two separate functionalities (allow nat and block wan to lan traffic).
What if the op has no port fowarding for example…

SO…

Default rules minus the one above.
+++++++++++++++++++++++++
add chain=forward action=drop comment=“drop all else”

Meaning, that now the OP is blocking ALL traffic through the router, LAN to WAN, WAN to LAN and LAN to LAN at layer 3. Much more effective rule.
Where the +++++++++++ symbols are located is where the admin should put the traffic he/she WISHES TO ALLOW.

Thus if you want to allow lan to wan.
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN

etc…

If you want to allow port forwarding then put in this rule.
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface-list=WAN
comment=“allow port forwarding”

maigonis · October 2, 2021, 2:27pm

I have rewritten all router config, and removed interface lists - ether1 will always be WAN interface. So that rule is correct.

I read 4 more times old wiki and I think I understand now what invalid state means. But next question is, how does packets whit no destination originates if there cannot be packet whit out destination? it could be flagged as invalid, far as I know.

rextended · October 2, 2021, 2:50pm

Let’s not waste time with commas,
there can be no destination-free packages.

The very fact that the packet reaches the router means that there was at least one destination for it: the router.

anav · October 2, 2021, 5:56pm

I dont really care, to tell the truth, if there is some form of packet that reaches the router and its not accepted by the router due to some abnormality, I am super glad I have a rule that will excise that packet!!!
Burn it, throw it away, get rid of it., good riddance.

As to the types of invalid packets, no clue, nor will I lose sleep over it.