please explain a default firewall rule

saladfingers · September 30, 2015, 12:13pm

Hello,

I’m trying to set up my first MikroTik router and I am a little bit overwhelmed.

What is the purpose of the last default firewall rule?

filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway comment=“default configuration”

As far as I understand it drops new forward connections that come from the external interface, but I don’t get the “connection-nat-state=!dstnat” part, because no destination nat is done.

Thank you!

ulysses · September 30, 2015, 2:11pm

In case you do manual dstnat then it will allow forwarding - basically that’s what you expect if you set up dstnat.
Note the ‘!’ in front of the dstnat, it means that the packet will be dropped if it is not DNATed

marrold · September 30, 2015, 2:43pm

I have never considered this, I’ve always added separate NAT and filter rules.

Good to know

jarda · September 30, 2015, 2:49pm

Removed.