MikroTik

Community discussions
https://forum.mikrotik.com/

2.9.17 Forward rule that I don't understand. Bug maybe?

https://forum.mikrotik.com/viewtopic.php?t=7318

Page 1 of 1

2.9.17 Forward rule that I don't understand. Bug maybe?

Posted: Tue Mar 14, 2006 2:18 am
by blankman
Hello All:
So, I have a rule in my forward chain that I can't figure out.
Code: Select all
6   chain=forward dst-address=172.31.5.252 protocol=tcp action=jump jump-target=chat
Code: Select all
19:00:32 firewall,info before chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info ssh chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info ssl chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
19:00:32 firewall,info chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:57208->172.31.5.252:443, len 60
This is what prints this log out:
Code: Select all
0   chain=chat protocol=tcp action=log log-prefix="before"

 1   chain=chat dst-address=172.31.5.252 dst-port=22 action=log log-prefix="ssh"

 2   chain=chat dst-address=172.31.5.252 dst-port=443 connection-state=new action=log log-prefix="ssl"

 3   chain=chat action=log log-prefix=""

 4   chain=chat action=reject reject-with=icmp-host-unreachable
Now, maybe I am REALLY out of it, but how can both dst-ports (22,443) be matching?
Anyhelp is much appreciated :-)


So just for the grin of it, I tried one other thing. This time both match on the port, even though it is port 23!
Code: Select all
19:09:30 firewall,info before chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info ssh chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info ssl chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
19:09:30 firewall,info chat: in:ether1 out:ether2, src-mac a:b:c:d:e:f, proto TCP (SYN), w.x.y.z:51480->172.31.5.252:23, len 60
Code: Select all

Posted: Tue Mar 14, 2006 1:32 pm
by normis
It is required to specify protocol (tcp/udp) to match tcp/udp ports.

Posted: Tue Mar 14, 2006 2:14 pm
by blankman
It is required to specify protocol (tcp/udp) to match tcp/udp ports.
Thanks normis. That did do it. Just for those that might want to use the search feature:

If you are using the dst-port on a firewall filter chain, the system requires you to tell it the protocol of something that "cares" about a port before it will match on your port. Thus the dst-port will only work if you have used something link tcp or udp.

Cheers all.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/