Community discussions

MikroTik App
 
Martin4
newbie
Topic Author
Posts: 35
Joined: Sat Dec 29, 2018 2:22 am

chain -> input action -> drop [SOLVED]

Sun Jan 06, 2019 9:54 pm

Hi,
i can't understand the use of the rule:
add chain=input action=drop
In particular,
i find many firewall rules on internet and some groups of rules have at the end that rule.
So, i can't understand if i must write this rule every time i write rules, or if it's sufficient only once at the end of all rules i have. ???

For example: i've already rule to block ping, if now i want to add other rules that needs the rule "input...drop" to drop all the rest, what i must do?? Add or move at the end the one i've already insert in past time?

Then, firewall rules have sequence? Mikrotik execute rules from 1 to.... or the rules have all the same importance?
Pratically, are they considered in a sort of "OR" and "AND" without any sequence?

Thanks to all and sorry for my bad english.
Last edited by Martin4 on Tue Jan 08, 2019 11:18 pm, edited 1 time in total.
 
Pea
Member Candidate
Member Candidate
Posts: 229
Joined: Fri Jul 17, 2015 11:07 pm
Location: Czech

Re: chain -> input action -> drop

Mon Jan 07, 2019 12:47 am

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.

Therefore final drop rule is important. Design your firewall this way: accept only what you need, drop everything else.

https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains
 
Martin4
newbie
Topic Author
Posts: 35
Joined: Sat Dec 29, 2018 2:22 am

Re: chain -> input action -> drop

Mon Jan 07, 2019 1:47 am

Hi, thank you for the reply.
I had already read the wiki but i continue to not understand, so i wrote...
So...
1)
the drop rule at he end must be 1 and only 1, right?
So, if i add in the future some new rules, i must insert before the "drop all" rule that was at the end, right?
I'll must move at the end again the drop all rule, right?
In some examples groups of rules i found some times "drop input" (with no other specifications, so... drop all!) not at the end!
?? In this case all following rules will never be read???

2)
Then, you and wiki wrote:
If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action)
So, assuming not to receive attacks every second, and assuming that the router works more for my rules than for the attacks received, and as the firewall work from top to bottom, in order to make to work the CPU less, is it better to put my network rules first? (And then the rules to make attack protection...)
So the router doesn't read every time all those rules that maybe don't need... right?
Thank you.

3)
If i disable a service and don't NAT or open the port of that service, can i disable the relatives rules?
Example, disable FTP service, so i don't need to open 21 port and add firewall rules... right?

4)
Internal the same rule, for example an accept rule, is all i add intrpreted with OR or AND by firewall??
Example, accept rule: connection match an address-list, in-interface, out-interface, connection-nat-state=dstnat
are all this options read as OR or AND logic?

Thank you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: chain -> input action -> drop

Mon Jan 07, 2019 6:45 pm

Hi there,
The basic rules for both input chain and forward chain are
allow established and related connections
drop invalid connections
++++++++++++++++++++++++
drop all else

If you need to permit traffic, then you create allow rules, where the +++++++++++++ is located.

for example in my input chain I have a rule to allow ME the admin to access the router (ie for winbox or ssh for example).
Also on the input chain I allow access to dns udp tcp for port53




On the forward side, one may need to allow vpn traffic for example,
In my case I make allow rules for
LAN to WAN traffic
VLAN to WAN traffic
PORT FORWARDING Rule (which permits all my dstnat rules in the IP FIREWALL NAT section to be functional).

A good place to start setting up the router is this page..........
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Here is a good reference page that explains the function of the options...
https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter
 
Martin4
newbie
Topic Author
Posts: 35
Joined: Sat Dec 29, 2018 2:22 am

Re: chain -> input action -> drop

Tue Jan 08, 2019 3:29 pm

thank you anav, all clear.
Yeas, i readed wiki but I don't understand some points...
if you want, can you read in my before post the points 1, 2, 3, and 4 and clear me that dubts?
Point 1 you probably already clear, I understand that then only one goes and at the end? Right?
Point 4 is most important for me to make rules...
Thank you very much!
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: chain -> input action -> drop

Tue Jan 08, 2019 4:36 pm

Answer to question 2,
doesn't matter, the router will check every rule until it is matched with one of them. so the work load of the router is the same.

Answer to question 3,
my understanding is you don't have to open ports for a service if you access from LAN side. If you disable a service, this means the router won't run this service and this port will not be listening or open unless it is dst nated.

Answer to question 4
when setting up a rule, the conditions are ALL. so in your example, the packet will be accepted only it meets all of the conditions set, eg. interface, type, src-address or address-list etc.etc.
 
Martin4
newbie
Topic Author
Posts: 35
Joined: Sat Dec 29, 2018 2:22 am

Re: chain -> input action -> drop

Tue Jan 08, 2019 11:17 pm

ok, all clear, thank you very much solar77.
And thanks to all, .....solved.

Who is online

Users browsing this forum: coffee1978, NimbuS and 43 guests