Community discussions

MikroTik App
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Firewall chains - default policy action?

Mon Feb 16, 2009 2:14 pm

The documentation at http://www.mikrotik.com/documentation/m ... ewall_flow states that
If the packet has not matched any rule within the chain, then the default policy action of the chain is performed.
I have searched through the configuration and cannot find any reference stating what the default policy actions are anywhere. However, after testing, the following seems to apply:

Chains 'input', 'output', 'forward' --> default action 'accept'
Any other chain --> default action 'return'

Can somebody confirm that this is true?

Many thanks,

Nick.
Last edited by NAB on Mon Feb 16, 2009 3:48 pm, edited 1 time in total.
 
galaxynet
Long time Member
Long time Member
Posts: 646
Joined: Fri Dec 17, 2004 2:52 pm
Contact:

Re: Firewall chains - default policy action?

Mon Feb 16, 2009 3:38 pm

NAB -

That's pretty much it in a nut shell....

I am sure Normis, Janisk or one of the others will jump in and confirm this as well.

R/

Thom
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: Firewall chains - default policy action?

Mon Feb 16, 2009 5:56 pm

I've been searching for this as well.

I'd like to be able to change the default policy. On Linux you can change the default policy for each chain like:

# Set Default Policy DROP
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

When using the Mikrotiks like routers I usually want them as they are now - default accept, but when using them as firewalls it would make more sense to change the default policy to DROP. Sure I can accomplish the same thing with a drop rule at the end of each chain, it just minimized the risk of accidentally removing or moving that last rule if it would just have been an invisible default policy.

It also make admins "feel" more secure to have a device that by default drops everything instead of having to explicitly add a DROP rule to accomplish it.
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Firewall chains - default policy action?

Mon Feb 16, 2009 6:16 pm

I've been searching for this as well.
I'd like to be able to change the default policy.
The page I linked above says "You can change the chain policies by using the /ip firewall set command.", but this appears to have been deprecated - I certainly can't do that under 3v20.

I too would like to be able to set the default policy to 'drop' (if not on all the chains, definitely on 'forward'), but some thought would have to go into ensuring that people don't lock themselves out!

Nick.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7044
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Firewall chains - default policy action?

Tue Feb 17, 2009 8:00 am

Add this rule at the bottom of all chains, but before doing it make sure you have set rules allowing to connect to the router.

/ip firewall filter add chain=<chain> action=drop
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Firewall chains - default policy action?

Tue Feb 17, 2009 10:33 am

/ip firewall filter add chain=<chain> action=drop
Sadly this doesn't work when the chain has dynamically added rules - as the dynamic rules are added and removed, the 'action=drop' rule moves towards the top of the chain and the following rules are therefore ignored.

Nick.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Firewall chains - default policy action?

Tue Feb 17, 2009 10:41 am

default action of default firewall chains (forward, input, output) is to accept the packet.

dynamic rules should be inserted into the top position (0) of the list, therefore, last rule will always be last one, so adding /ip firewall filter chain=<input|forward|output> action drop will change the behaviour.

if you jump to custom chain, then default is return to parent chain

if by chance, it is not so (dynamic rule is not added in the top position where they should) you can, for example in hotspot, point to what chain add these rules and then just jump to your custom rules from one of default chains as result, you wount have any dynamic firewall rules at all.
 
msundman
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Thu Jan 15, 2009 2:44 pm
Location: Stockholm, Sweden
Contact:

Re: Firewall chains - default policy action?

Tue Feb 17, 2009 2:02 pm

default action of default firewall chains (forward, input, output) is to accept the packet.

dynamic rules should be inserted into the top position (0) of the list, therefore, last rule will always be last one, so adding /ip firewall filter chain=<input|forward|output> action drop will change the behaviour.
Yes, sure, but we was asking about how to change the DEFAULT policy. Of course this can emulated by adding a drop rule, but according to the documentation it was possible to change the default policy of each chain in the 2.5 series of RouterOS. Why has this feature been removed?

Like stated previously there are occasions when it makes more sense to have the default policy set to DROP instead of using a normal filter rules to drop the traffic.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Firewall chains - default policy action?

Tue Feb 17, 2009 2:26 pm

It is not possible to change default policy of the firewall rules. Default policy is accept. The only way to change it, add drop rule to the end of the chain.
 
User avatar
nickshore
Long time Member
Long time Member
Posts: 521
Joined: Thu Mar 03, 2005 4:14 pm
Location: Suffolk, UK.
Contact:

Re: Firewall chains - default policy action?

Wed Feb 25, 2009 2:40 pm

Are there any plans to make it possible to change the default policy ?

Nick.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Firewall chains - default policy action?

Mon Mar 30, 2009 12:45 pm

As far as I know, there is not, you may easily add action=drop at the end of the firewall rules, that "will" change default firewall chain action from accept to drop.
 
nimamhd
just joined
Posts: 2
Joined: Fri Jul 13, 2012 10:58 pm

Re: Firewall chains - default policy action?

Fri Jul 13, 2012 11:01 pm

i use this rules and it`s working perfect.

/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp \
src-address=192.168.100.0/24
add action=accept chain=forward comment="Dns " disabled=no dst-port=53 \
protocol=udp src-address=20.20.20.100
add action=accept chain=forward comment="Internet Users" disabled=no \
dst-port=80,443 protocol=tcp src-address=20.20.20.100
add action=accept chain=forward comment="To webserver" disabled=no protocol=\
tcp src-address=20.20.20.100 src-port=80
add action=accept chain=forward disabled=no dst-address=20.20.20.0/24
add action=log chain=input disabled=yes log-prefix=123
add action=drop chain=forward comment="drop all" disabled=no
add action=drop chain=input disabled=no
add action=accept chain=output disabled=no
 
saenito
newbie
Posts: 26
Joined: Wed Aug 22, 2018 3:37 am

Re: Firewall chains - default policy action?

Wed Oct 31, 2018 9:19 pm

In my case with 6.43.2 dynamic rules from user profile (incoming and outcoming filter) router is placing the rules on the bottom, after the drop rule, so just by sight i think those dynamic rules were never going to hit because the preceding drop is global.

Anyways in my case im testing the usage of "Address List" instead, so i can place static rules matching the address list before the drop rule (even if addresslist initially doesnt exist because there is no one logged in)

And it seems to work quite nice, hotspot adds and removes the client ip to the address list as soon as the user is active in hotspot or has gone

---------
default action of default firewall chains (forward, input, output) is to accept the packet.

dynamic rules should be inserted into the top position (0) of the list, therefore, last rule will always be last one, so adding /ip firewall filter chain=<input|forward|output> action drop will change the behaviour.

if you jump to custom chain, then default is return to parent chain

if by chance, it is not so (dynamic rule is not added in the top position where they should) you can, for example in hotspot, point to what chain add these rules and then just jump to your custom rules from one of default chains as result, you wount have any dynamic firewall rules at all.


Who is online

Users browsing this forum: Bing [Bot], CGGXANNX, Seko777 and 95 guests