Community discussions

MikroTik App
  4. RouterOS
  5. General

v6.49 wrong input firewall rule order execution

Post Reply
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

v6.49 wrong input firewall rule order execution

Sun Oct 24, 2021 12:19 am

When having rules:
add action=accept chain=input comment="Allow A.B.C.D" log=yes src-address=A.B.C.D
add action=drop chain=input comment="Drop all" disabled=yes in-interface=internet

router cannot resolve DNS (located at the A.B.C.D address):
resolve domain-name="fqdn" server=A.B.C.D

in fact, no resolving works when the second rule is active.
Top
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 3124
Joined: Mon Apr 08, 2019 1:16 am

Re: v6.49 wrong input firewall rule order execution

Sun Oct 24, 2021 12:47 am

This is an outgoing DNS request, not a traffic initiated by the A.B.C.D server.
You should allow the answer for that established outgoing session.
See the default first rule : "defconf: accept established,related,untracked"
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
There is no need to accept input from server A.B.C.D for those DNS queries. (Better close that door ?)
Top
 
User avatar
tplecko
Member Candidate
Member Candidate
Topic Author
Posts: 120
Joined: Mon Jun 11, 2007 12:18 pm
Location: Croatia
Contact:
Contact tplecko

Re: v6.49 wrong input firewall rule order execution

Sun Oct 24, 2021 11:50 am

Thanks.
Works now.

I didn't expect that this would have to be explicitly set.
Top
Post Reply

Who is online

Users browsing this forum: thahemp and 14 guests
  4. RouterOS
  5. General