WAN connections bypassing SNAT/masq. Should they be droped?

Kola · Tue Aug 06, 2013 10:11 am

Hello! Why in different guides about mikrotik Inet/LAN configuring i never saw filtering rules like this:

/ip firewall mangle add action=mark-connection chain=prerouting comment=\
    "Mangle connections passing by masquerading rule to 172.16.1.0 net" \
    dst-address=172.16.1.0/24 new-connection-mark=passing-by-masq-conn

/ip firewall filter add action=drop chain=forward comment=\
    "Drop connections passing by masquerading rule" \
    connection-mark=passing-by-masq-conn

for a NAT rule like this:

add action=masquerade chain=srcnat comment="Masquerading of 172.16.1.0 subnet" \
    src-address=172.16.1.0/24 out-interface=ether1

Without these someone from WAN can try to connect directly to hosts in LAN bypassing masquerading rule if he/she declare WAN address as a gateway to a LAN address. Of course ISP will drop packets with destination addresses of local net on some level, but it could be attack from local WAN/LAN of provider.

Is these rules redundant or not or good practice is just to filter your traffic by protocols?

WAN connections bypassing SNAT/masq. Should they be droped?

WAN connections bypassing SNAT/masq. Should they be droped?

Who is online