Issue in firewall for ospf packets

davidalain · March 6, 2020, 2:34pm

Hi,
I am firewalling my routers to secure all to accept only OSPF packets from a specific interface-list and address-list.

/ip firewall filter
add action=accept chain=input in-interface-list=OSPF_INTERFACES protocol=ospf src-address-list=BACKBONE
add action=drop chain=input protocol=ospf 

/ip firewall raw
add action=accept chain=prerouting in-interface-list=OSPF_INTERFACES protocol=ospf src-address-list=BACKBONE
add action=drop chain=prerouting protocol=ospf

But I see many packets being counted in both rules as sometimes is working the filter and sometimes the raw rule with accept.
No one packet is matching to drop rule in neither filter or raw. Packets counter is always zero.

This issue is happing in a RB1100AHX2 and SXTsq 5 ac running RouterOS v6.45.8 (long-term).
In a CCR1009 it is working with no issue running the same RouterOS version.

I am trying to use raw to improve router performance.

Is this a BUG or am I doing something wrong?

davidalain · March 8, 2020, 3:25am

Does the OSPF have a different behavior in a raw firewall rule?

davidalain · March 8, 2020, 5:29pm

Is a packet checked in firewall filter even it already have been accepted in the firewall raw?

davidalain · March 10, 2020, 4:15am

After I made many searches and tests I got the answer. And it is: YES.

If you drop a packet in a firewall raw rule, this packet does not reach the firewall filter rules.

If you accept a packet in a firewall raw rule, this packet is also checked in firewall filter.

Thus, you may take care about it and don’t accept in firewall raw and drop in firewall filter. Unless you sure you want to do.