Community discussions

MikroTik App
  4. RouterOS
  5. General

2.9.17 Forward rule that I don't understand. Bug maybe?

Post Reply

Do you know how to use the scripting function of MT?

yes
8 (57%)
no
6 (43%)
no idea what this is
No votes
 
Total votes: 14
 
blankman
newbie
Topic Author
Posts: 26
Joined: Tue Jan 31, 2006 6:14 am

2.9.17 Forward rule that I don't understand. Bug maybe?

Tue Mar 14, 2006 2:18 am

Hello All:
So, I have a rule in my forward chain that I can't figure out.
Code: Select all
6   chain=forward dst-address=172.31.5.252 protocol=tcp action=jump jump-target=chat
Code: Select all
19:00:32 firewall,info before chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info ssh chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info ssl chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
This is what prints this log out:
Code: Select all
0   chain=chat protocol=tcp action=log log-prefix="before"

 1   chain=chat dst-address=172.31.5.252 dst-port=22 action=log log-prefix="ssh"

 2   chain=chat dst-address=172.31.5.252 dst-port=443 connection-state=new action=log log-prefix="ssl"

 3   chain=chat action=log log-prefix=""

 4   chain=chat action=reject reject-with=icmp-host-unreachable
Now, maybe I am REALLY out of it, but how can both dst-ports (22,443) be matching?
Anyhelp is much appreciated :-)


So just for the grin of it, I tried one other thing. This time both match on the port, even though it is port 23!
Code: Select all
19:09:30 firewall,info before chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info ssh chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info ssl chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
Code: Select all
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:
Contact normis

Tue Mar 14, 2006 1:32 pm

It is required to specify protocol (tcp/udp) to match tcp/udp ports.
Top
 
blankman
newbie
Topic Author
Posts: 26
Joined: Tue Jan 31, 2006 6:14 am

Tue Mar 14, 2006 2:14 pm

It is required to specify protocol (tcp/udp) to match tcp/udp ports.
Thanks normis. That did do it. Just for those that might want to use the search feature:

If you are using the dst-port on a firewall filter chain, the system requires you to tell it the protocol of something that "cares" about a port before it will match on your port. Thus the dst-port will only work if you have used something link tcp or udp.

Cheers all.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests
  4. RouterOS
  5. General