Community discussions

MikroTik App
 
tremols
just joined
Topic Author
Posts: 2
Joined: Fri Oct 16, 2020 8:18 pm

Which rule is a connection matching

Fri Oct 16, 2020 8:29 pm

Hello guys,

Is there a way to know which rule is a connection matching?
For example:
On the Connections tab of the Firewall screen, I can see a connection from 192.168.0.31:56880 to 192.168.1.254:8291 for managing my router via Winbox
How can I know which rule is allowing that connection?

Regards,
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Which rule is a connection matching

Fri Oct 16, 2020 9:54 pm

Firewall doesn't allow connections, it allows packets.
And different packets from that connection can be allowed by different rules.
 
tremols
just joined
Topic Author
Posts: 2
Joined: Fri Oct 16, 2020 8:18 pm

Re: Which rule is a connection matching

Sat Oct 17, 2020 2:17 am

Yes, you are right. I didn't formulate the question properly.
I would like to know somehow which rule allowed the connection to be initiated.
The issue I have is that I created a rule to allow Input to the router via Winbox.
I'm connecting to the router and packet quantity for that rule is 0
So, I would like trace how are those packets coming
 
sindy
Forum Guru
Forum Guru
Posts: 5905
Joined: Mon Dec 04, 2017 9:19 pm

Re: Which rule is a connection matching

Sat Oct 17, 2020 12:22 pm

The order of rules matters, and if there is an "action=accept connection-state=established,..." rule in the input chain of the filter before (above) your new permissive rule for the Winbox access, that new rule will only count for a newly established connection, not for an already existing one. Also, if there is no "drop the rest" rule at the end of the input chain of the filter, all packets which did not match any of the existing rules will be accepted.

The only way to determine which rule is responsible for accepting a particular packet is to set log=yes log-prefix=rule-<number-or-name> on all the rules and looking into the log which one has logged a packet with the IP addresses and ports you look for. /log print follow-only where topics~"firewall" message~"8291" will show you only the relevant log rows as they are being generated - if there is a lot of traffic, the log buffer will start being overwritten very soon.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: vikinggeek and 110 guests