According to this Mikrotik Wiki page...

http://wiki.mikrotik.com/wiki/Securing_your_router
I'm just wondering why there is no NEW connection state?

According to this Mikrotik Wiki page...

http://wiki.mikrotik.com/wiki/Securing_your_router

Code: Select all

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 

I'm just wondering why there is no NEW connection state?

Because you do NOT want to accept NEW connections! You only want to accept connections that you initiate from your network. That is how a SPI firewall works. If you send a request to the internet for something, then when it comes back it is "established or related", so it is allowed through. But, if something comes in that you did not request, then it is "new", and you want to block those!

Also, you should do those same 3 rules on the FORWARD chain as well.

According to this Mikrotik Wiki page...

http://wiki.mikrotik.com/wiki/Securing_your_router

Code: Select all

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 

I'm just wondering why there is no NEW connection state?

Because you do NOT want to accept NEW connections! You only want to accept connections that you initiate from your network. That is how a SPI firewall works. If you send a request to the internet for something, then when it comes back it is "established or related", so it is allowed through. But, if something comes in that you did not request, then it is "new", and you want to block those!

Also, you should do those same 3 rules on the FORWARD chain as well.

then, where should I put the same 3 rules on the FORWARD chain? after the INPUT chain or before?

According to this Mikrotik Wiki page...

http://wiki.mikrotik.com/wiki/Securing_your_router

Code: Select all

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 

I'm just wondering why there is no NEW connection state?

Because you do NOT want to accept NEW connections! You only want to accept connections that you initiate from your network. That is how a SPI firewall works. If you send a request to the internet for something, then when it comes back it is "established or related", so it is allowed through. But, if something comes in that you did not request, then it is "new", and you want to block those!

Also, you should do those same 3 rules on the FORWARD chain as well.

then, where should I put the same 3 rules on the FORWARD chain? after the INPUT chain or before?

FORWARD chain is completely separate from INPUT. in the upper right, change to forward instead of all.

FORWARD chain is completely separate from INPUT. in the upper right, change to forward instead of all.

sry, I dont get you...

You meant the order of the filter rule, right?
Where should I put the FORWARD chain? after or before the INPUT chain?

It does not matter, they are completely separate. You can change the view to see them mixed together, but that is just the view. You should change the view to ONLY show either input or forward at one time. That setting is in the upper right.

Sent from my DROID4 using Tapatalk 2

It does not matter, they are completely separate. You can change the view to see them mixed together, but that is just the view. You should change the view to ONLY show either input or forward at one time. That setting is in the upper right.

Sent from my DROID4 using Tapatalk 2

oh I see... tq so much..