I have blocked an address list in my Filter Rules. The intention is to block computers on the network from accessing the address list.
I understand Forward chain is most appropriate, as it is for routed traffic.
I also added Input and Output chains just to see what happened, and I noticed that the Output chain has activity. Forward and Input don't have activity.
Why would this be?
These are my Filter Rules:
Code: Select all
# apr/08/2019 13:18:20 by RouterOS 6.44.2
# model = RBD52G-5HacD2HnD
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Block China" dst-address-list=\
CountryIPBlocks log=yes log-prefix=block_china
add action=drop chain=input comment="Block China" dst-address-list=\
CountryIPBlocks log=yes log-prefix=block_china
add action=drop chain=output comment="Block China" dst-address-list=\
CountryIPBlocks log=yes log-prefix=block_china
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="Port scanner detection" log=\
yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" log=\
yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="SYN/FIN scan" log=yes \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="SYN/RST scan" log=yes \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" log=yes \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="ALL/ALL scan" log=yes \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=1h chain=input comment="NMAP NULL scan" log=yes \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow guest VLAN to printer" \
dst-address=192.168.0.13 log=yes log-prefix=vlan150_to_printer \
src-address=192.168.150.0/24
add action=drop chain=forward comment="Block guest VLAN to LAN" dst-address=\
192.168.0.0/24 log=yes log-prefix=vlan150_to_lan_block src-address=\
192.168.150.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=WAN