Hello guys,
Is there a way to know which rule is a connection matching?
For example:
On the Connections tab of the Firewall screen, I can see a connection from 192.168.0.31:56880 to 192.168.1.254:8291 for managing my router via Winbox
How can I know which rule is allowing that connection?
Regards,
Firewall doesn’t allow connections, it allows packets.
And different packets from that connection can be allowed by different rules.
Yes, you are right. I didn’t formulate the question properly.
I would like to know somehow which rule allowed the connection to be initiated.
The issue I have is that I created a rule to allow Input to the router via Winbox.
I’m connecting to the router and packet quantity for that rule is 0
So, I would like trace how are those packets coming
The order of rules matters, and if there is an “action=accept connection-state=established,…” rule in the input chain of the filter before (above) your new permissive rule for the Winbox access, that new rule will only count for a newly established connection, not for an already existing one. Also, if there is no “drop the rest” rule at the end of the input chain of the filter, all packets which did not match any of the existing rules will be accepted.
The only way to determine which rule is responsible for accepting a particular packet is to set log=yes log-prefix=rule- on all the rules and looking into the log which one has logged a packet with the IP addresses and ports you look for. /log print follow-only where topics~“firewall” message~“8291” will show you only the relevant log rows as they are being generated - if there is a lot of traffic, the log buffer will start being overwritten very soon.