Community discussions

Topic Author
Posts: 25
Joined: Wed Aug 15, 2018 8:26 pm

Firewall rule Order

Tue Mar 26, 2019 7:12 pm

i would like to know in which order i have to put the firewall rule.
drop first or accept first
I begin
thank you
Forum Guru
Forum Guru
Posts: 2971
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Firewall rule Order

Tue Mar 26, 2019 7:19 pm

Depends on your personal concept for firewalls.
Some prefer (like me) that one for the most part only require to add rules when adding traffic flow using drop all else as last rule.
In other words, everything is explicitly denied, unless specifically allowed.

Some prefer (had lobotomies) to assume everything is permitted and thus need to drop all traffic not required. In other words, everything is
explicitly allowed, unless specifically denied.

I believe the first method is more efficient, cleaner and easier to read. In practical terms, I have no idea what I am doing and thus it is easier and safer for me to
not to automatically allow all sorts of traffic I have no clue about and/or rely on me to know which things I should be dropping.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
User avatar
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Firewall rule Order

Tue Mar 26, 2019 7:47 pm

Allow what you specifically want allowed, then deny all. This is the last rule in the Forward chain. There is a similar one at the end of the Input chain.
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

User avatar
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK

Re: Firewall rule Order

Wed Mar 27, 2019 10:31 am

Rules are processed top down. Allow only what you want and block everything else.
Your most used rules at the top (established & related)
I stick a drop invalid packets here
Accept stuff you want
Drop everything else
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials

Who is online

Users browsing this forum: No registered users and 25 guests