Hi!
In my firewall tables a lot of rules and I got confused adding new ones.
Is it possible to create a virtual packet with the specified characteristics and to get a log, which lists the tables, chains and rules that are applied to the packet in a router?
No, unfortunately that does not exist. You can read the packet flow wiki page, though, and do that exercise in your head.
The procedure that I use is to create a logging rule with options set to filter everything except the packet type that I am interested in (as much as possible), then start by placing the logging rule at the beginning of the input chain (if the packet is expected to go directly to the router) or the beginning of the forward chain (if the packet is supposed to pass through the router).
Once I have verified that the packet(s) are at least getting to the router, I start moving the logging rule through the chain and again confirm that those packets are ‘seen’ by watching the log file. You can follow the packets through a jump rule to a different chain by changing the chain that the logging rule belongs to.
Once you find the point where the packets are no longer ‘seen’ or logged, it doesn’t always mean that the packets are lost. You have to inspect the previous rule to see if the packet was ‘accepted’ or ‘dropped’. If the behavior is normal you are finished. If the behavior is unexpected, you can fix or fine tune your rules to get the proper results.
Yes, thats heplfull, but it would be a good thing to have a tool which would do what you described. I think it’s not too much to ask and it would make our life easier.
I think that having a ‘tool’ to do that for you would be a huge problem to implement and would be very cpu intensive to the point where it wouldn’t be practical.
While I have no idea how feasible it is to implement it in RouterOS, it can certainly be done in a fashion that isn’t CPU intensive, and on something that is roughly Linux based: https://supportforums.cisco.com/docs/DOC-5796
Cisco ASA’s packet tracer feature does just this. It creates a packet (or takes a flow that matches if it exists) and tells you step by step what it would do to the packet where, and why - NAT, packet filtering, VPN, all of it. It greatly simplifies troubleshooting. I honestly don’t know how many dozen hours that tool has saved me.
Thanks fewi, I had no idea that that existed. I made an assumption because it sounded difficult.
Now that I have read about it, I can take a wild guess as to how it works.
The virtual packet may have a special mark that turns on extra logging in the rule processing engine just while the packet with the virtual mark is being processed. I would expect the cpu load to increase to the same amount as doubling (or higher multiple) the number of firewall rules.
It now sounds as simple as adding extra code to the rule processing engine, but you are right, I have no idea how much work that would be either.
It’s been 7 years, has a tool similar to Cisco’s “Packet Tracer” been added to RouterOS ?