I've been testing the firewall feature on the CRS328, and I stuggle to understand the following ruleset:
I would expect that the first line would block all incoming traffic on ether1 addressed to the router. ip-connections via Winbox and ping are blocked, but I'm still able to connect using winbox and mac-telnet.
Code: Select all
/ip firewall filter add action=drop chain=input comment="Block mgmt on eth1" in-interface=ether1 add action=accept chain=input connection-state=established,related,untracked add action=accept chain=input protocol=icmp
If I enable logging, I can see that the telnet packages are listed by the rule. So the filter is capturing the packages, but still forwards them to the CPU?
The ether1 interface is not part of any bridge configuration
Note: I know there are many alternatives to block mac-telnet, but I'm trying to understand why the above rules don't work, and possible consequences for other protocols.