Firewall Rules/Chains question

RouterOS General
1

Hi,

can anyone explain me (simple :slight_smile: ) how in firewall rules work ,Jump, and ,Return, directives ?
I want ,divide, main forward rule to some blocks for easy manage with using additional chains.

Look at this simple example :

RULE : FORWARD
src-address=192.168.0.0/24 in-interface=EoIP-MIKRO32 out-interface=ETH action=jump jump-target=LAN1 disabled=no
src-address=192.168.0.0/24 in-interface=EoIP-MIKRO32 out-interface=ETH action=jump jump-target=LAN2 disabled=no
in-interface=EoIP-MIKRO32 out-interface=ETH action=reject log=yes comment=“Reject all other” disabled=no

CHAIN : LAN1
src-address=192.168.0.50/32 in-interface=EoIP-MIKRO32 out-interface=ETH action=accept comment=“” disabled=no
src-address=192.168.0.51/32 in-interface=EoIP-MIKRO32 out-interface=ETH action=accept comment=“” disabled=no

CHAIN : LAN2
src-address=192.168.0.52/32 in-interface=EoIP-MIKRO32 out-interface=ETH action=accept comment=“” disabled=no
src-address=192.168.0.53/32 in-interface=EoIP-MIKRO32 out-interface=ETH action=accept comment=“” disabled=no

It is correct ? And I must specify ,return, at the end of each chain ? (like this at the end of LAN1/LAN2 :
add src-address=192.168.0.0/24 in-interface=EoIP-MIKRO32 out-interface=ETH action=return log=yes comment=“” disabled=no

Thanks for any ideas and help :slight_smile:

/Tomi

P.S. I think would be good publish any documentation about using this function in firewall to web or manual :slight_smile:

2

Nope, no need for a return, it does that automatically when it reaches the end of the chain.

Return is used when you want to return specific traffic and not have it processed any further by that specific chain, but want other rules/chains to further filter the traffic.

Also, you may want to use the action “DROP” instead of “REJECT”.. When the firewall rejects traffic it sends out a message saying “hey that port’s not open” allowing a potential attacker to see that there is a host on the other end. If you DROP traffic, it silently drops it and sends out no control messages, as if the host were not there.

hope that helps.