Is there a way to judge how effective a firewall rule is? For instance if I have a drop rule that everything gets checked by, but it never drops anything, then I can get rid of it and improve the throughput of the router. I know how to see how much traffic is going thru a rule, but how do I see if it is actually doing anything?
I you have a rule above that accept anything, the block rule below will not get anything.
You can use the counter in the “ip firewall” window to see what rule that are used.
Firewall rule are looked at from top to bottom.
Add log prefix to the rule and then view your logs.
Firewall rules run from top to bottom. It’s good practise to have a “drop all” at the bottom anyway but if you wanted something as a counter then yes you could move it higher up. Due to the way traffic “cascades” though if a packet matches on a rule higher up then it won’t cascade to the lower rules.
Everything that is not allowed from above is forbidden by drop rule - that’s where you can see the operation of the counter.