I am just getting my first RouterBOARD up and running. In trying to set up my packet filtering rules, I have relied somewhat on the examples I find here and at the Wiki. One thing keeps puzzling me, though, and I cannot find the answer. Searching here just returns tons of hits pointing to the example packet filter rule, and not an explanation (or perhaps my search skill is lacking refinement).
My question is, what is a TCP “related” connection state? It is not part of the TCP state machine, and I have not encountered this state in working with other routers’ ACLs, such as Cisco. In my first day with the new rule, I see that more matches occur on “related” than “established”.
Is there a flag or combination of flags that points to “related”. How does one identify a “related” connection state?
connections have state related if new connection is related to already established connection.
For example, the data FTP connection is related to the ftp session.
I can see FTP and a new FTPdata connection being related, as it is part of the FTP protocol standard and FTPdata comes in as a new connection. Is that the only type of related connection? Wouldn’t any other related connection be covered by established (ACK bit set)?
How is related determined, since it is not a TCP state with a bit set in the header. How does the router recognize related?
Maybe I’m being dense and not seeing the “answer” in the answers you folks are offering. I’m not trying to be difficult, but just to understand a term I have never encountered before with another router vendor, nor in the world of packet filtering nor in TCP states.
How does the router recognize a packet as being “related”. Is there a list of related protocol pairs it uses? What is it about the particular packet that marks it as “related”.
SIP runs on port 5060 udp. The RTP stream associated with SIP is a dynamically assigned port. Both on the src and dst side. The kernel connection tracking modules watch the 5060 connection to track what the dynamically assigned RTP ports will be. This is related.
The RTP stream is a completely new connection that is related to the original connection.
I begin to see, now with this example along with FTP DATA.
I can recall about a dozen years ago trying to make h.323 run through a firewall for NetMeeting, and it would have been nice at the time to have something like this.
I guess it makes me uncomfortable to permit something that is not clearly defined, like this “related” connection state. I would at least like to know the criteria being used when such packets are passed. Is it a list of protocols? Just that short list under Firewall, Service Ports or are there more?
IIRC, related when it comes to ICMP is stuff like ICMP unreachable, etc. Makes sense that you would get a lot of that kind of stuff if you run a continuous traceroute.
Edit, yes. Augment, no. Connections are “related” if firewall inspection helpers have found them in other channels. Some protocols have control channels that negotiate data channels. FTP is a popular example. The data channel is learned about by the helper that sees the control channel negotiate its parameters, and the data channel is then “related”.
You can see the helpers under “/ip firewall service” and can disable and enable them there. You cannot add new ones.
Mikrotik used Linux Kernel and therefore for he it is applicable information relating to the Netfilter, see “Connection Tracking”. Also a very detailed answer to the question can be found in “User-land states”.
