Community discussions

MikroTik App
 
wildsquirrel
just joined
Topic Author
Posts: 2
Joined: Tue Jan 19, 2021 8:25 am

Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 3:52 am

I have a feeling I know the answer, but just double checking to make sure I'm not missing anything.

When learning all about the firewall, I see a lot of videos and documents where people have their firewall rules for input and forward chains all mixed together. Sort of like this.

input rule 1
input rule 2
forward chain rule 1
input rule 3
forward chain rule 2
input rule 4
forward chain rule 3
forward chain rule 4
forward chain rule 5 (the final deny rule on forward chain)
input rule 5 (the final deny rule on input chain)

But I'm not sure why so many people do it this way, it seems sloppy. Won't any input chain traffic just skip right over those forward chain rules, and just go through input rules in order 1,2,3,4,5?

Wouldn't the exact same effect be achieved by organizing them like shown below, while providing easier readability? Since traffic should be destined for one chain or the other, no reason to interlace them together right?

input rule 1
input rule 2
input rule 3
input rule 4
input rule 5 (the final deny rule on input chain)
forward chain rule 1
forward chain rule 2
forward chain rule 3
forward chain rule 4
forward chain rule 5 (the final deny rule on forward chain)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 4:41 am

Router doesn't care. Packet always goes in either input or forward. It's not skipping over rules in other chain, it's just that both chains are displayed on same screen, but in reality they are completely separate. I agree that having rules for each chain together, rather than mixing them with each other, is much cleaner. But since it doesn't make a difference for router, it's really just an opinion. Someone can have different one, which would be wrong for me, but not objectively wrong.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 4:18 pm

The chains are independent from each other but the order shown within a chain is important.
100% agree, that for ease of troubleshooting and understanding ones config, separating the chains is logical and clean, anything else is stewpid!

Now what I want to know is if my explanation is superior to Sobs. I need an ego boost today. ;-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 4:32 pm

If I say that I learned a lot from your post, will you believe me? ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 7:04 pm

If I say that I learned a lot from your post, will you believe me? ;)
Yes, I believe you learned how to be more accurate, succinct and blunt!
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Basic question about firewall rule organization, and grouping by chains.

Sat Jan 23, 2021 8:48 pm

I group all my chains together. As noted before, the router does not care, but it makes it far easier for the poor human being that has to read it - that would be me.
You can also create any other chains that you want. Speeds up processing if you can jump to a different chain for one certain type of traffic that needs a lot of rules. Only send that type of traffic to a new chain.

Who is online

Users browsing this forum: Ahrefs [Bot], qadir52786, uxertxo and 33 guests