I'm currently setup my first MikroTik router (Hex: RB750Gr3)
I have read all the chapter about the firewall but still certain thing are unclear...
What are Dynamic rules ?
and what is this rule ?
--/ip firewall filter print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
Code: Select all
0 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 1 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 2 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp 3 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN
If I want to improve a little bit this default config I could
- remove the untracked from rule 0
- change rule 2 into : chain=input action=accept protocol=icmp in-interface=ether2-master (meaning only all Lan device will be able to do a ICMP correct ?)
- is it possible to create an additional rule how say : Drop everything who is not TCP:80 on LAN ? (I don't find...)
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept in ipsec policy chain=forward action=accept ipsec-policy=in,ipsec 2 ;;; defconf: accept out ipsec policy chain=forward action=accept ipsec-policy=out,ipsec 3 ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related 4 ;;; defconf: accept established,related, untracked chain=forward action=accept connection-state=established,related,untracked 5 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid 6 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
- What the purpose of rule 5 & 6 ?