considering these rules:
/ip firewall raw
add action=return chain=somechaininraw protocol=tcp tcp-flags=!fin,syn,!rst,!psh,ack,!urg,!ece,!cwr
add action=return chain=somechaininraw protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,ack,!urg,!ece,!cwr
add action=return chain=somechaininraw protocol=tcp tcp-flags=!fin,syn,!rst,!psh,!ack,!urg,!ece,!cwr
One would expect the first to trigger on a tcp packet with SYN and ACK flag set, the second on only the ACK flag set and the third on only the SYN flag set. The first two work fine, but the last with only the SYN flag never triggers. All packets with only the SYN flag set will not trigger the action.
Is this by design or is this a bug?
optio
August 6, 2024, 2:28pm
2
How is set filter rule for jump into “somechaininraw” chain? Maybe such packet is not going through “somechaininraw” chain.
After some testing I figured it out.
add action=return chain=tcpflags protocol=tcp tcp-flags=!fin,syn,!rst,!psh,!ack,!urg,!ece,!cwr
would match packets with only SYN set.
firewall,info proto TCP (SYN)
The confusion arised when there were packets with ECE or CWR set. Which the rule won’t match. Those packets also get logged as
firewall,info proto TCP (SYN)
and not as for example
firewall,info proto TCP (SYN,ECE,CWR)
So I jumped to conclusion too soon and thought the rule wasn’t working.