The order of firewall rules

RouterOS Beginner Basics
1

There is one thing I’m wondering. Well, just now.
The “drop invalid” rule.
Many configuration put this rule as a second or third rule in the chain. Usually first rule is “accept established,related,untracked”.
I understand these rules work in order, first rule, second rule and so on.
Now, first rule “accept established,related,untracked” let traffic flow if traffic is “established,related,untracked”. And firewall does not check following rules anymore?
What if this traffic “established,related,untracked” contain something “invalid”? Is it checked by firewall at all?
Should “drop invalid” be the first rule?

Another thing, does this “drop invalid” really need all this: http://forum.mikrotik.com/t/for-isp-how-to-really-block-invalid-icmp-tcp-udp-packets-and-others-ver-2021/75627/1 ? (How to really block invalid ICMP, TCP, UDP packets and others (ver. 2021))

2

No.
Please read https://forum.mikrotik.com/viewtopic.php?t=180838

3

TL;DR, connection tracking recognizes five states and each packet can have only one. If it’s established, it can’t be invalid. There are more established/related/untracked packets than invalid, so that’s why that rule is first.

4

As per the link to make invalid rule have more teeth ensure tcp connection tracking is set to strict (do not check box for loose tracking).

( ip firewall connections tracking )

5

Ok, that make sense. I lost my focus and I didn’t realise that packet can have only one state. I’m quite happy to have Mikrotik router because all problems are solved sooner or later here in the forum.

6

Do you have a “drop everything else” kind of rule in the final? If you have, why bother?

BTW: You should be the happiest by being the owner of a RB5009, not just “quite happy”. :wink:

7

Yes of course I have “drop everything” in the end of the chains. Just making things clear to me.
My state of happiness is now elevated to the top.

8

Dont go overboard with emotions about an inanimate object there paulz. :wink:

9

It’s not the same actually.

Imagine this scenario: you have the usual sequence of firewall filter rules:

  1. accept established,related,untracked
  2. accept connections for your service (e.g. protocol=tcp dst-port=80)
  3. drop everything

So if some malicious device sent a packet, targeting your HTTP server, but would be invalid according to firewall’s connection tracking machinery, the filter rule set above would still allow such malicious packet to be forwarded to server behind firewall. If there’s a “drop invalid” rule right after rule #1 above (or even as absolute first rule), then the malicious packet wouldn’t reach backend server.

10

So in the case of 5009, I believe it have enough cpu power to handle traffic if “drop invalid” is the first rule ( it will check all the packets for “invalid”)? But I think I will keep it as a second rule. I don’t want to push my nice router even close to the limits…

11

Many people use far lesser powered routers with the same ruleset with no degradation in performance.
So keep it as is.

input chain
(default rules)
1 accept, established
2 drop invalid
3 allow icmp
4(admin rules)
5 drop all else.

12

Apologies, the post referred to above as key information does not exist. Could someone (@anav) point me in the right direction, please?

\

Please read viewtopic.php?t=180838 (and when I go there - I get)
Information
The requested topic does not exist.

13

https://web.archive.org/web/20230524131930/https://forum.mikrotik.com/viewtopic.php?t=180838

14

That’s because a certain fire spitting Llama removed quite a bit of earlier made user instruction articles (as author, he had the right to do so).

Fortunately (or unfortunately, depending on who looks at it), there exists something like web.archive.org
https://web.archive.org/web/20230324115929/https://forum.mikrotik.com/viewtopic.php?t=180838

EDIT: someone beat me to it :laughing:

15

WOW, thanks guys, really worthwhile page, so glad there is a time machine :smiley: