Community discussions

 
OKNET
Member Candidate
Member Candidate
Topic Author
Posts: 237
Joined: Mon Jun 22, 2015 9:22 am

New filter rules ?

Mon Jul 22, 2019 4:02 pm

Looking at filter rules after 6.45.2 hAP lite has been conf-resetted :
0  D comment=special dummy rule to show fasttrack counters chain=forward action=passthrough 
 1    comment=defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 
 2    comment=defconf: drop invalid chain=input action=drop connection-state=invalid 
 3    comment=defconf: accept ICMP chain=input action=accept protocol=icmp 
 4    comment=defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 
 5    comment=defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN 
 6    comment=defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 
 7    comment=defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 
 8    comment=defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 
 9    comment=defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 
10    comment=defconf: drop invalid chain=forward action=drop connection-state=invalid 
11    comment=defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 
Are rules 0,4,6,7 new ??
 
mkx
Forum Guru
Forum Guru
Posts: 3185
Joined: Thu Mar 03, 2016 10:23 pm

Re: New filter rules ?

Mon Jul 22, 2019 4:09 pm

Rules #0, #6 and #7 are around for quite some time (let's say at least since 6.42 if not earlier ... rule #0 is probably around ever since fast-track got introduced) ... rule #4 is new to me as well ...
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3120
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: New filter rules ?

Mon Jul 22, 2019 9:48 pm

Concur, #4 is a new default rule, the rest have, as has been stated, been around for a while.
What would the effect of rule 4 be mkx. An obvious question not answered .........................
An environmentally friendly post would have included the obvious negating the need for a question and the subsequent response. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: New filter rules ?

Mon Jul 22, 2019 10:12 pm

You know what CAPsMAN is and that client devices need to connect to controller. But what if both are same device?

Previous firewall for input chain dropped packets from WAN, but current drops packets from "not LAN". CAPsMAN connection in above case comes from loopback interface, but you can't add it to LAN interface list, because MikroTik doesn't show it to us as existing interface. So an extra rule is needed (if you use CAPsMAN to control same device, otherwise you can get rid of it).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3120
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: New filter rules ?

Tue Jul 23, 2019 12:10 am

You know what CAPsMAN is and that client devices need to connect to controller. But what if both are same device?

Previous firewall for input chain dropped packets from WAN, but current drops packets from "not LAN". CAPsMAN connection in above case comes from loopback interface, but you can't add it to LAN interface list, because MikroTik doesn't show it to us as existing interface. So an extra rule is needed (if you use CAPsMAN to control same device, otherwise you can get rid of it).
Thank you sob so if the wifi controlle is on a wifi device ergo one needs to account for that.
Personally, I dont use Capsman for a two capac household, who needs all the overhead and complication but I can see where this could be an issue. I would setup capsman on my RB450Gx4 anyway............

In any case, not coming to a device anytime soon cause 6.45.2 needs some serious love and attention before it goes on any of my devices.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: New filter rules ?

Tue Jul 23, 2019 12:33 am

Seeing your comment in 6.45.2 thread, I'm not sure if your devices should be more affraid of buggy RouterOS or you. Or maybe I'm misinterpreting a totally innocent comment. ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
anav
Forum Guru
Forum Guru
Posts: 3120
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: New filter rules ?

Tue Jul 23, 2019 5:49 pm

Seeing your comment in 6.45.2 thread, I'm not sure if your devices should be more affraid of buggy RouterOS or you. Or maybe I'm misinterpreting a totally innocent comment. ;)
Oh no doubt, when MT products see me coming they shiver and not in a happy excited way. Bull in a china shop comes to mind. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 35 guests