A basic firewall rule-pair running on RouterOS 6.47 that I stuggle to understand:
ether1 = WAN facing interface
Code: Select all
;;; Allow routerOS update checks
chain=output action=accept connection-state=established,related,new protocol=tcp out-interface=ether1 dst-port=80 log=yes log-prefix="ROUTER-UPDATE_ACP"
;;; Block other WAN requests to router
chain=input action=drop in-interface=ether1 log=yes log-prefix="WAN-INPUT_DRP"
Isn't connection-state=related supposed to ensure that all packages in the 3-way handshake is included here?
I've seen some posts saying that it would work if an input chain is used instead. But I struggle to understand why, since this is imo a perfect example of a typical output chain rule