Remove:
Chain
Src.Address
Dst.Address
Src.Address List
Dst.Address List
In.Interface
Out.Interface
Instead use:
Source
Destination
Source and Destination can be: Addresses and Address Groups, Interfaces and Interfaces Groups, Router itself (all router addresses); with AND/OR/NO operators.
Remove:
NAT tab
Instead use:
Translation tab (or field) in firewall rule
P.S.
My suggestion is for Firewall Filter Rules, not for Mangle.
My suggestion is for FirewallRule/General, not for Action.
I’m sorry but I have to contradict this wish.
It’s not only me loving the fine grnularity of routerOS’ firewall.
All fields and options precisely describe their purpose.
But talking about feature requests for the firewall, I’d vote for protocol and port groups
Only the standard firewall chains can be determined automatically. Do you suggest to get rid of the action=jump rules altogether?
Also chains in mangle can not be determined automatically (think of input/forward vs prerouting/postrouting).
And, by the way, using INPUT to match incoming packets targeting the router itself is simply clean and handy. Having worked with other firewalls I love the idea of chains a lot.
Of course mikruser does not understand at all how it works and tries to dumb it down to bring it
within his reach. I suggest to buy a simple home router..
His ideas on this thread are simply ridiculous.
I can imagine to use common fields for addresses and address lists. But the interface is something absolutely different and all other suggestions in original post are not acceptable.
Please carefully read my previous messages. I suggest remove Chain field only from FirewallRule/General in Winbox GUI. You can use jump to chain in Action.
Ok, for a rare creation of custom chains, possible provide “Custom chain” field in FirewallRule/General.
It’s already intuitive and admin-friendly, and very much at that. If you want it also user-friendly, as for regular users who don’t know much about networking, then request some extension for Quick Set, to easily “open ports” and stuff.
To combine address/list/interface into one field, so there would be just one source and one destination, why not. If those new fields allowed multiple values, it would basically be just another representation of what we have now. And yes, if it was all together, it would probably be a little more obvious and intuitive. Although it might quickly get not so clear with all those and/or conditions.
To reduce filter chains, that too is probably doable. If input, output and forward were combined into one, you could add source=local to get packets previously in output, destination=local to get packets previously in input, and source=!local destination=!local for original forward. Or just don’t use these limits and let all packets be processed by all rules in new combined chain, even those for which it would not make sense. It could work, but how it would be better than what we have now?
Cannot disagree more with the suggestions made in this thread.
I am 100% against them.
No - just, no.
The chains all have very specific meaning.
The contexts in which they are executed are very important.
RouterOS can be used in some very advanced configurations, and boiling the firewall down into something designed as a lan/wan router is just absolutely barking-at-the-moon ludicrous.
Just because it’s not immediately obvious that input chain doesn’t mean the same thing as “download” and output doesn’t mean “upload” - it doesn’t follow that these aren’t insanely useful concepts. The architecture of netfilter (the software under the hood of Mikrotik) is far superior to a simple per-interface list of ingress/egress rules. Nerfing this because it’s more advanced is a horrible idea.
I work very hard on these forums to help new users understand the behavior of the firewalls, because having a Mikrotik router is an excellent and inexpensive way to gain access to a platform that can truly lead to a deep understanding of networking. There are dozens of “user-friendly” SOHO routers already - why should Mikrotik just be another Netgear?
