Community discussions

MikroTik App
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

firewall question

Sun Nov 28, 2021 8:18 pm

on my rb-1000 running 6.49.1 I have this single firewall rule on the interface going to my internet cable modem:
/ip firewall filter add action=drop chain=input in-interface=ether1
works fine, no complain, none of the router's ports (ssh, etc.) are visible from the internet, it isn't ping-able, no issue using the internet etc.
but going through the mikrotik docs, I see that I should add:
/ip firewall filter add action=accept chain=input connection-mark="" connection-state=established,related
Why? I have added it but didn't notice any change really.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: firewall question

Sun Nov 28, 2021 8:28 pm

Don't forget your router itself also generates traffic to internet and returning "replies" should not be bluntly dropped (= input chain)
eg. NTP, DNS , Cloud.

Hence the "related,stablished" rules to allow traffic hitting the router itself that are part of a session or related to it.
Offcourse make sure the rule with "related,established" is ABOVE the generic "drop" rule or it will indeed to absolutely nothing.
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: firewall question

Sun Nov 28, 2021 8:37 pm

Oh I see, so you're saying, essentially that without this extra rule, I wouldn't be able to upgrade my router for instance, or even ntp etc.
 
User avatar
jibanes
newbie
Topic Author
Posts: 30
Joined: Sun Mar 25, 2012 8:13 am

Re: firewall question

Sun Nov 28, 2021 8:42 pm

Thank you!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: firewall question

Sun Nov 28, 2021 11:08 pm

Probably also IPSEC-tunnels etc that you terminate on the box.
For example I also allow certain ICMP traffic to "hit" my input-chain.
But then all the way on the bottom, there is indeed a deny any any on the input chain just to be sure.

Who is online

Users browsing this forum: Majestic-12 [Bot], VinceKalloe and 48 guests