I have a rule to drop invalid packets and another to drop new connections, both for the forward chain from the WAN. The new connection rule logs the packets. Both rules are blocking packets but the log shows TCP flags of ACK,PSH for the new connection rule. I would expect to see SYN. If there is no established connection then I would think ACK,PSH would be invalid. Any explanation for what I am seeing?
I am running v6.49beta11 on a CCR1009-7G-1C.
The explanation could be loose-tcp-tracking set to yes, which basically switches off the analysis of TCP flags in order to lower the CPU consumption by connection tracking. This item can be set to no under /ip firewall connection tracking. While there is no such section in the /ipv6 firewall configuration tree, I’d expect the settings to be common for both - give it a try.
That may be the answer. I have been running without loose tracking for a couple days and have had no log entries for new connection attempts from the WAN. Thanks.