Loopback interface, should be allowed?

S8T8 · February 8, 2025, 1:39am

Hello,
as the title suggests, my firewall is configured based on the Help pages https://help.mikrotik.com/docs/spaces/ROS/pages/328513/Building+Advanced+Firewall#BuildingAdvancedFirewall-IPv4RAWRules,
the rule

add action=drop chain=prerouting comment="defconf: drop the rest"

in Raw and Input is blocking:

prerouting: in:lo out:(unknown 0), connection-state:related proto ICMP (type 3, code 1), 192.168.1.1->192.168.1.1, len 285

or

prerouting: in:lo out:(unknown 0), connection-state:established proto TCP (ACK), 127.0.0.1:443->127.0.0.1:41182, len 52

Now that Loopback interface is expose, is OK to drop these packets or should we allow them with

add action=accept chain=prerouting/input comment="defconf: accept everything else from Loopback" in-interface=lo

?

Thanks!

holvoetn · February 8, 2025, 10:28am

In defconf capsman traffic is allowed in using 127.0.0.1.
And that’s conceptually the same as lo.
So …

holvoetn · February 8, 2025, 10:48am

I remembered there was a discussion about it not too long ago…

http://forum.mikrotik.com/t/default-firewall-rule-for-loopback-now-that-lo-interface-exists/176813/1

S8T8 · February 8, 2025, 2:58pm

Thanks for the interesting link @holvoetn,
even if allowed the lo interface in input, will be dropped in raw,
lo is not using only 127.0.0.1 as reported by logs.

mkx · February 8, 2025, 3:28pm

It’s hard to follow your reasoning without seeing actual device config. Default config doesn’t have any raw firewall rules and we can only guess what you have added to interfere with traffic.

BTW, I hate seeing add-on rules (even if they’re published in official articles) abusing comment “defconf:” … because they’re not.

S8T8 · February 8, 2025, 4:56pm

Here is the Firewall RAW config:

/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=VLAN protocol=udp src-address=0.0.0.0 src-port=68
# add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
# add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
# add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
# add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" src-address-list=not_global_ipv4 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" in-interface-list=WAN dst-address=192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=VLAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"

Just noticed that MT Help guide is dropping 127.0.0.1 where I’m not:

/ip firewall address-list
  add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4

S8T8 · March 18, 2025, 10:58am

Got an answer from support, basically for a common use case, the ‘lo’ interface shouldn’t need to be allowed in Firewall RAW and Filter, so the logs reported in my first post are considered “errors.”