Community discussions

MikroTik App
 
5009Owner
newbie
Topic Author
Posts: 33
Joined: Sun Jan 09, 2022 9:09 am

Input chain and drop invalid

Sat May 28, 2022 9:01 am

I wonder, why is "Drop invalid" necessary in input chain?
In the end of the input chain there is "Drop all". Should it take care of "invalid"?
 
gabacho4
Member
Member
Posts: 330
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Input chain and drop invalid

Sat May 28, 2022 9:29 am

It isn’t necessary at all. The drop everything else rule, as you mention, takes care of that too. I’m sure there are performance gains in large networks to having invalid dropped at the top of the chain but I don’t think you’ll notice any appreciable difference in a home or SMB environment.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Input chain and drop invalid

Sat May 28, 2022 11:49 am

I wonder, why is "Drop invalid" necessary in input chain?
In the end of the input chain there is "Drop all". Should it take care of "invalid"?

Some firewall rule sets follow "drop not needed" rather than "allow only needed" philosophy ... and in this case "drop invalid" rule is strictly necessary. IMO "allow only needed" approach is much safer in most cases, in case of some more liberal ISPs the "drop not needed" for forward chain can be better ... But it does show that mixing recipes that might follow different philosophies (or are confused already) can lead to confusing firewall rule set.

Psychological reasons aside, "drop invalid" rule early in the chain can strenghten firewall because this way invalid packets that would otherwise be accepted by other rules are dropped anyway.
Consider a (trivial) case where firewall rules allow ssh connection to router (can be via management interface even) ... some atacker might start sending packets targeting TCP port 22 but that are otherwise invalid (i.e. initial packet is not strictly SYN packet or it's segment number is out of sync with ongoing SSH connection). Those packets are invalid as per connection tracking state, but without early "drop invalid" they would still be delivered to ssh service of ROS potentially affecting its functioning and/or performance.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Input chain and drop invalid

Sat May 28, 2022 12:43 pm

Also, there is a bug in RouterOS that causes incoming GRE packets to be marked "invalid", even when they are a reply on outgoing GRE traffic.
(that is, the "established/related" match does not work for GRE)

This will cause GRE tunnels to fail as long as you have that "drop invalid" rule and no "accept GRE" before it (or match with "not protocol GRE" in the "drop invalid" rule).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Input chain and drop invalid

Sat May 28, 2022 12:52 pm

I notice it and solved on some cases leaving pptp helper enabled (without using pptp at all), it can track also successfully GRE tunnel ("only")...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Input chain and drop invalid

Sat May 28, 2022 3:48 pm

Discussed & Answered here Para 5. - viewtopic.php?t=180838

Who is online

Users browsing this forum: 4l4R1, Bing [Bot], CodeAlpha, GoogleOther [Bot], Majestic-12 [Bot] and 35 guests