Hi all;
I followed the guide on setting up my FW on a RB493 as outlined here: http://wiki.mikrotik.com/wiki/NetworkPro_on_firewalling . This RB will be used for Load-balancing. In the mentioned guide there's a rule under /ip firewall filter >> second line, refers to "Deny illegal NAT traversal", after adding this rule, Winbox GUI shows this rule, as with quite a couple of other rules like this that has Action Jump, as invalid...
I'm using RouterOs 3.23...
Please is there a way that I could trace where the fault lies?
Thank you for descriptive answers
Re: Invalid : deny illegal NAT traversal in Firewall rules
Nobody come across this yet?
Re: Invalid : deny illegal NAT traversal in Firewall rules
do you have a chain that is target of that jump?
Re: Invalid : deny illegal NAT traversal in Firewall rules
I guess so... here's the code:
/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check Forward" ### Right from the word Go! this generates an 'Invalid #
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal" ### here it seems the chain is created called 'sanity-check', but then straight after this 'drop' is mentioned,which also does not exist, and then also to add to my confusion, why is the chain created after it was referenced? #
add chain=input action=accept in-interface=Local dst-address=255.255.255.255 dst-port=5678 protocol=udp \
comment="Allow The Router to be visible via Neighbor Discovery to WinBox"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d \
comment="Block port scans" disabled=yes
#check to see if this is too agressive and blocks legit hosts
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop \
comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop \
comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop \
comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=146Gate src-address-list=illegal-addr action=jump jump-target=drop \
comment="Drop illegal source addresses"
add chain=sanity-check in-interface=82Gate src-address-list=illegal-addr action=jump jump-target=drop \
comment="Drop illegal source addresses"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop \
comment="Drop all traffic that comes from multicast or broadcast addresses"
I don't know if a jump-target can be created on the fly (which I think could not be so) by just refering to it, in this case jump-target=sanity-check as well as jump-target=drop... none of these pre-exist on first mention in the code, but after the first mention it magickally appears, although I can't see where any attributes are associated or assigned to there terms. I mean, I know what it means to 'drop', but is this term defined somewhere in the Kernel and only active on first use?
Reading up here: http://www.mikrotik.com/testdocs/ros/2. ... notfound=6& says that 'Yes, chains will be created on the fly' if not previously defined, but then I still don't get why the Invalid. Is it a syntax change as in I'm using ROS v3.23, but this Firewall setup is for use on pre-v3?
Thank you for your reply so long
/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check Forward" ### Right from the word Go! this generates an 'Invalid #
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal" ### here it seems the chain is created called 'sanity-check', but then straight after this 'drop' is mentioned,which also does not exist, and then also to add to my confusion, why is the chain created after it was referenced? #
add chain=input action=accept in-interface=Local dst-address=255.255.255.255 dst-port=5678 protocol=udp \
comment="Allow The Router to be visible via Neighbor Discovery to WinBox"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d \
comment="Block port scans" disabled=yes
#check to see if this is too agressive and blocks legit hosts
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop \
comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop \
comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop \
comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=146Gate src-address-list=illegal-addr action=jump jump-target=drop \
comment="Drop illegal source addresses"
add chain=sanity-check in-interface=82Gate src-address-list=illegal-addr action=jump jump-target=drop \
comment="Drop illegal source addresses"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop \
comment="Drop all traffic that comes from multicast or broadcast addresses"
I don't know if a jump-target can be created on the fly (which I think could not be so) by just refering to it, in this case jump-target=sanity-check as well as jump-target=drop... none of these pre-exist on first mention in the code, but after the first mention it magickally appears, although I can't see where any attributes are associated or assigned to there terms. I mean, I know what it means to 'drop', but is this term defined somewhere in the Kernel and only active on first use?
Reading up here: http://www.mikrotik.com/testdocs/ros/2. ... notfound=6& says that 'Yes, chains will be created on the fly' if not previously defined, but then I still don't get why the Invalid. Is it a syntax change as in I'm using ROS v3.23, but this Firewall setup is for use on pre-v3?
Thank you for your reply so long
Re: Invalid : deny illegal NAT traversal in Firewall rules
if you do not have any rules in 'drop' chain, then any rule refferring that chain will be invalid