Dear all,
I read at http://wiki.mikrotik.com/wiki/Protecting_your_customers and there is firewall filter rules like this:
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
and this is my firewall filters:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DVR
chain=forward action=accept protocol=tcp dst-address=172.168.100.4
dst-port=8081
1 ;;; allow known IP Address
chain=forward action=accept src-address-list=allow
2 X ;;; accept established connection packets
chain=forward action=accept connection-state=established
3 ;;; accept related connection packets
chain=forward action=accept connection-state=related
4 ;;; allow access to router from local network
chain=input action=accept src-address=172.168.0.0/16 dst-address=172.168.100.1
in-interface=ether2-local
5 ;;; allow ICMP from local
chain=forward action=accept protocol=icmp src-address=172.168.0.0/16
in-interface=ether2-local
6 ;;; portknock 1
chain=input action=add-src-to-address-list protocol=tcp address-list=knock
address-list-timeout=30s dst-port=1234
7 ;;; portknock 2
chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock
address-list=safe address-list-timeout=15m dst-port=4321
8 ;;; allow access to router from known network
chain=input action=accept src-address-list=safe
9 ;;; accept established connection packets
chain=input action=accept connection-state=established
in-interface=ether1-firstmedia
10 ;;; accept established connection packets
chain=input action=accept connection-state=established
in-interface=ether3-speedy
11 ;;; accept related connection packets
chain=input action=accept connection-state=related
in-interface=ether1-firstmedia
12 ;;; accept related connection packets
chain=input action=accept connection-state=related in-interface=ether3-speedy
13 ;;; allow ICMP
chain=input action=accept protocol=icmp in-interface=ether1-firstmedia
14 ;;; allow ICMP
chain=input action=accept protocol=icmp in-interface=ether3-speedy
15 ;;; drop invalid packets
chain=input action=drop connection-state=invalid
16 ;;; drop others
chain=input action=drop
17 ;;; drop unknown IP Address
chain=forward action=drop src-address=172.168.0.0/16
As you see above, i have this specific rules:
1 ;;; allow known IP Address
chain=forward action=accept src-address-list=allow
17 ;;; drop unknown IP Address
chain=forward action=drop src-address=172.168.0.0/16
So, the problem is everytime i disable someone ip at address list, that computer still can access internet, recently i know why not automatic disable internet connection, because this rule:
2 X ;;; accept established connection packets
chain=forward action=accept connection-state=established
So, after i disable this one.. if i disable / enable someone IP at address list, it will automatically turn off / turn on internet connection.
Alternatively, i must delete established connections:
[admin@MikroTik] > /ip firewall connection print
or reboot the MikroTik device
My questions are:
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
What is the problem if i don't use that filter rules? Specially the first rule.
Thank you
Best Regards,
Yudi Wijaya
Re: Established & Related connections ?
Hi
Not sure if there is a problem, if the fw enginee is based on linux ( and I think it is)
then rules are evaluated from top to bottom, the first to lines make evaluation a lot quicker
some people create allow/permit lines that stipulate only the start of new connections and not the packets that are not part of a SYN handshake with out the connected statement it the other packet would fail.
the related allows related flow, think FTP... the firewall know some protocols and understands when applications open up other ports and allow them through
Not sure if there is a problem, if the fw enginee is based on linux ( and I think it is)
then rules are evaluated from top to bottom, the first to lines make evaluation a lot quicker
some people create allow/permit lines that stipulate only the start of new connections and not the packets that are not part of a SYN handshake with out the connected statement it the other packet would fail.
the related allows related flow, think FTP... the firewall know some protocols and understands when applications open up other ports and allow them through