Hello everyone. Need a help for newbie.
Example section in the documentation say’s that I can block everything on input chain with the rule:
add chain=input action=drop
But. Little bit higher on the same page there are parameters description. And there are words saying that parameter “protocol” has default value “tcp”.
Does it mean that firewall rule “add chain=input action=drop” will be applied only for TCP packets?
No, but the better rule is /ip fi raw chain=prerouting action=drop 
Remember input to the router is the purpose of the input chain.
If you block everything on the input chain, you will not be able to reach the router to administer it!!
You will note the default rules that come with the router suffice to get it up and running.
However before you create a drop everything rule on the input chain side (which I do have as well), ensure you put an allow rule for your access to the router.
add chain=input action=accept in-interface=lan source-address-list=admin access comment=“Allow Access to Router From ADMIN”\
Go to ip firewall address list and add the new address list
IP address of PC1 you use to administer the router
If you want to add PCs to the list you can and if you want to state the entire lan subnet you can…
Then and only then create and put in a drop all input chain rule at the end of the input rules.
Can you explain please? There are no explicit or implicit protocol “any” that can be used.
And as for me chain=prerouting is not better way because “prerouting” after “input” in the packet flow diagram.
That means that device needs to process packet, not just drop it.
Definitly there are other rules like allow established and related connections, ICMP, remote administration, etc.
The question is does rule “chain=input action=drop” drops all protocols or just TCP because there are no “any” protocol and default value for “protocol” is “tcp”?
If you don’t enter some parameter, the rule will match all possible values. So no protocol means any protocol, no dst-address means any destionation address, etc.
Edit: In other words, rule with no parameters matches any packet. And when you add some parameters, you’re fine tuning it to match less.
No questions for dst-address, src-address and other parameters.
My concern is “protocol” parameter because
“protocol (name or protocol ID; Default: tcp) Matches particular IP protocol specified by protocol name or number”
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties
there are default value, tcp.
Only for you … Raw section is first in the packet flow , next is the filter !
P.S.First is the prerouting chain, after routing decision the next is forward or input and output chains and finally postrouting chain !
It’s a mistake. Only default about tcp is that it’s offered as first choice in WinBox. But no protocol specified means any protocol.
Summary. Made the test network. “chain=input action=drop” works as expected, blocks everything.
Additionaly, this command return error
admin@MikroTik] /ip firewall filter> add chain=input dst-port=22 in-interface=WAN src-address=192.168.0.8/32 action=accept
failure: ports can be specified if proto is tcp,udp,udp-lite,dccp,sctp
Looks like it’s documentation bug. How can I RTFM after that… 