Thanks a lot for the answer, it's clear now.
I have one more question about Dmitry on firewalling. I am studying his configuration and I know I am wrong, but it doesn't make sense to me.
In his configuration there is "sanity-check" chain where packets are tested and dropped if needed.
ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check Forward"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d \
comment="Block port scans" disabled=yes
#check to see if this is too agressive and blocks legit hosts
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop \
comment="Drop everything that goes from public interface but not to local address" disabled=yes
#check this well! The above rule is for not nat-ed hosts!
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that comes from multicast or broadcast addresses"
This is more or less clear to me. What is not clear to me is in part - Protecting your router where jump to sanity-check is made.
ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic (between router applications)"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate (5 packets per sec)"
add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services connection-mark=ssh action=accept comment="SSH (22/TCP)"
add chain=local-services connection-mark=dns action=accept comment="DNS"
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy (3128/TCP)"
add chain=local-services connection-mark=winbox action=accept comment="Winbox (8291/TCP)" disabled=no
add chain=local-services action=log comment="Log & Drop Other Local Services"
add chain=local-services action=drop disabled=yes
#check the log twice before enabling this
add chain=public-services connection-mark=ssh action=accept comment="SSH (22/TCP)"
add chain=public-services connection-mark=pptp action=accept comment="PPTP (1723/TCP)"
add chain=public-services connection-mark=winbox action=accept comment="Winbox (8291/TCP)" disabled=no
add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP"
add chain=public-services action=log comment="Log & Drop Other Public Services"
add chain=public-services action=drop disabled=yes
#check the log twice before enabling this
The wiki page about firewall says:
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.
So my question is when the rules in this "input" chain would be processed (after jump to sanity-check) if there is a jump to "sanity-check" chain (bolded) and if The Wiki says that if the packet does not match any rule within the chain (sanity-check) it is accepted automatically? There is no "return" action in "sanity-check" chain so the packet would never come back from "sanity-check" chain it would be accepted (if not matched by any rule in sanity-check) and rules after "jump to sanity-check" would never be processed?
I know I am wrong, but I don't know why. I am trying to understand this.