forward command

channingzou · July 27, 2007, 2:20pm

why when I enable command add chain=forward action=drop comment=“drop everything else”
I browse web very slow and can’t load page completely.
thanks!

mrz · July 27, 2007, 2:42pm

because you are dropping something from that page

channingzou · July 28, 2007, 3:25am

not only that site ,all site I visit ,so that command cann’t be used?

cmacneill · July 28, 2007, 3:50pm

If this is the only Firewall rule you have applied I’m surprised you can connect to anything.

You really need to give more detail on all your Firewall settings in order for anyone to help further.

channingzou · July 29, 2007, 4:38am

here is command I USED

/ip firewall filter
add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no 
add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no 
add chain=input connection-state=invalid action=drop comment="drop invalid packets" disabled=no 
add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no 
add chain=input protocol=tcp connection-limit=3,32 src-address-listddress-list=black_list action=tarpit
comment="suppress DoS attack" disabled=no 
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \
address-list=black_list  address-list-timeout=1d comment="detect DoS attack" disabled=no 
add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no 
add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no 
add chain=input dst- address-type=broadcast action=accept comment="Allow Broadcast Traffic" disabled=no 
add chain=input action=log log-prefix="Filter:" comment="" disabled=no 
add chain=input action=drop comment="drop everything else" disabled=no 
add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no 
add chain=services src-address-listddress=127.0.0.1 dst- address=127.0.0.1 action=accept comment="accept localhost" disabled=no 
add chain=services protocol=udp dst-port=20561 action=accept comment="allow MACwinbox " disabled=no 
add chain=services protocol=tcp dst-port=2000 action=accept comment="Bandwidth server" disabled=no 
add chain=services protocol=udp dst-port=5678 action=accept comment=" MT Discovery Protocol" disabled=no 

add chain=forward connection-state=established comment="allow established connections"  
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"  
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

mrz · July 29, 2007, 10:56am

you haven’t added rule to allow TCP port 80 which is used for http browsing.

here is list of some commonly used ports:
http://www.mikrotik.com/testdocs/ros/2.9/ip/service.php

channingzou · July 29, 2007, 2:14pm

[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid

NAME PORT ADDRESS CERTIFICATE

0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 www-ssl 443 0.0.0.0/0 none
I don't change them,can you tell me what command do I need add?

mrz · July 29, 2007, 5:36pm

DOH

i wasn’t talking about service ports.
You must add firewall rule which accepts tcp port 80
/ip firewall filter add chain=forward protocol=tcp dst-port=80 action=accept

or add rule to accept all tcp traffic, like you did with udp:
/ip firewall filter add chain=forward protocol=tcp comment=“allow tcp”

channingzou · July 30, 2007, 7:01am

/ip firewall filter add chain=forward protocol=tcp comment="allow tcp
when I use this command ,will it weak my router?

janisk · July 30, 2007, 8:00am

there are 2 approaches available for firewall:

accept what you want and drop everything else
drop what you do not need and keep the rest

when following first scenario - make a list of things you need and add rules to accept that, when this is done - add final rule that will drop everything else

in second, just add drop rules, because, everything that is not dropped will be accepted