Page 1 of 1

drop rule above fasttrack rule not working

Posted: Fri Jul 31, 2015 3:42 pm
by dadaniel
When not using fasttrack rule, active connections are dropped immediately when they are added to src-address-list.
When using fasttrack, active connections are not dropped, although drop rule is above fasttrack rule:

add action=drop chain=forward src-address-list=ftp_blacklist
add action=fasttrack-connection chain=forward connection-state=established,related
add chain=forward content="530 Login" dst-address-list=!ournetwork dst-limit=12/1m,24,dst-address/1m protocol=tcp src-port=21
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=1w chain=forward content="530 Login" dst-address-list=!ournetwork log=yes log-prefix=block_ftp protocol=tcp src-port=21

Does fasttrack mean that a connection that is matched does never ever get into any chain again?

Re: drop rule above fasttrack rule not working

Posted: Sat Aug 01, 2015 6:01 am
by lambert
I read http://wiki.mikrotik.com/wiki/Manual:Fa ... ck_handler to mean that once a connection has been fasttracked it will bypass all firewall rules until the connection is terminated. I don't know if you can take a connection out of the fasttrack by killing the connection in ip firewall connection and forcing the connection to be re-initiated.