New filter rules ?

OKNET · July 22, 2019, 1:02pm

Looking at filter rules after 6.45.2 hAP lite has been conf-resetted :

0  D comment=special dummy rule to show fasttrack counters chain=forward action=passthrough 
 1    comment=defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 
 2    comment=defconf: drop invalid chain=input action=drop connection-state=invalid 
 3    comment=defconf: accept ICMP chain=input action=accept protocol=icmp 
 4    comment=defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 
 5    comment=defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN 
 6    comment=defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 
 7    comment=defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 
 8    comment=defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 
 9    comment=defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 
10    comment=defconf: drop invalid chain=forward action=drop connection-state=invalid 
11    comment=defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Are rules 0,4,6,7 new ??

mkx · July 22, 2019, 1:09pm

Rules #0, #6 and #7 are around for quite some time (let’s say at least since 6.42 if not earlier … rule #0 is probably around ever since fast-track got introduced) … rule #4 is new to me as well …

anav · July 22, 2019, 6:48pm

Concur, #4 is a new default rule, the rest have, as has been stated, been around for a while.
What would the effect of rule 4 be mkx. An obvious question not answered …
An environmentally friendly post would have included the obvious negating the need for a question and the subsequent response.

Sob · July 22, 2019, 7:12pm

You know what CAPsMAN is and that client devices need to connect to controller. But what if both are same device?

Previous firewall for input chain dropped packets from WAN, but current drops packets from “not LAN”. CAPsMAN connection in above case comes from loopback interface, but you can’t add it to LAN interface list, because MikroTik doesn’t show it to us as existing interface. So an extra rule is needed (if you use CAPsMAN to control same device, otherwise you can get rid of it).

anav · July 22, 2019, 9:10pm

Thank you sob so if the wifi controlle is on a wifi device ergo one needs to account for that.
Personally, I dont use Capsman for a two capac household, who needs all the overhead and complication but I can see where this could be an issue. I would setup capsman on my RB450Gx4 anyway…

In any case, not coming to a device anytime soon cause 6.45.2 needs some serious love and attention before it goes on any of my devices.

Sob · July 22, 2019, 9:33pm

Seeing your comment in 6.45.2 thread, I’m not sure if your devices should be more affraid of buggy RouterOS or you. Or maybe I’m misinterpreting a totally innocent comment.

anav · July 23, 2019, 2:49pm

Oh no doubt, when MT products see me coming they shiver and not in a happy excited way. Bull in a china shop comes to mind.