input: in:(unknown) out:(none)

Hello!

When connect to selt, for example to telnet (127.0.0.1:23) we can log this message:

09:28:35 firewall,info telnet input: in:(unknown) out:(none), proto TCP (ACK), 127.0.0.1:40539->127.0.0.1:23, len 52
09:28:38 firewall,info telnet input: in:(unknown) out:(none), proto TCP (ACK,PSH), 127.0.0.1:40539->127.0.0.1:23, len 53

how to properly add a rule to allow only local service access?

/ip firewall filter
add action=accept chain=input dst-address-type=local port=23 protocol=tcp comment=This rule work
add action=accept chain=input port=23 protocol=tcp comment=This rule work too, BUT both allow/block all telnet traffic

Maybe there is an error in input: in:(unknown) out:(none)?

Allow traffic from LAN side:

/ip firewall filter
add chain=input action=accept in-interface=bridge-LAN

Work only this rules to block/allow this traffic

/ip firewall filter
add action=accept chain=input dst-address-type=local port=23 protocol=tcp comment=This rule work
add action=accept chain=input port=23 protocol=tcp comment=This rule work too, BUT both allow/block all telnet traffic

In this case “(unknown)” is what would be “lo” on Linux. And since it’s hidden in RouterOS and you can’t match by it using in-interface, you’ll have to use IP addresses, so dst-address=127.0.0.1 (or whole 127.0.0.0/8). If you use dst-address-type=local, it matches any IP address assigned to router.

If lo interface hidden, then maybe need hidden rule, like “allow from lo to lo”?
Capsman connect to self by address 192.168.66.1. And we see that in interface also unknown! Any self connection from unknown interface!

09:25:00 firewall,info drop input: in:(unknown) out:(none), proto UDP, 192.168.66.1:36021->192.168.66.1:5246, len 48

Then try src-address-type=local. Unlike previous dst-address-type=local, this won’t allow connections from elsewhere.

Yes! Good idea! Work perfect!

add action=accept chain=input  connection-state=new dst-address-type=local src-address-type=local