A few firewall questions
a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'?
b) What is the 'hotspot' match in both mangle/filter? The wiki only says:
hotspot (auth | from-client | http | local-dst | to-client; Default: )
without explanation. Could 'auth' mean: authenticated firewall traffic? What about the other options?
Re: firewall questions
two more:
a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy
b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?
The default config contains:
8 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
9 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=G1-world log=no log-prefix=""
What is 'connection-nat-state' ? The wiki doesn't say either
a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy
b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?
The default config contains:
8 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
9 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=G1-world log=no log-prefix=""
What is 'connection-nat-state' ? The wiki doesn't say either
Re: firewall questions
See inline for a few answers.
Think of it as a way to create a allow all rule for dst-nat or src-nat traffic with out needing to generate both the NAT table rule and the filter table rule
Mangle is for mangling packets. It has an accept action but not drop or reject.A few firewall questions
a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'?
I believe you are correct on this one. If you create a hotspot you will see a number of auto generated rules which use these different states to create jump actions. Most of the time you will not need to match these states on your own.b) What is the 'hotspot' match in both mangle/filter? The wiki only says:
hotspot (auth | from-client | http | local-dst | to-client; Default: )
without explanation. Could 'auth' mean: authenticated firewall traffic? What about the other options?
In my experience it means connection-state=!(established,related).a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy
Its a unique state or at least one that still allows new through. I have my invalid drop rule at the very top right below the established,related allow rule. My new traffic still makes its way through the appropriate rules.b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?
This along with the connection state checkboxes are new as of ROS 6.22. The release notes offer the following insight:What is 'connection-nat-state' ? The wiki doesn't say either.
Code: Select all
*) improved connection-state matcher in firewall - can match multiple states in one rule, supports negation;
*) added connection-nat-state matcher - can match connections that are srcnatted,dstnatted or both;Re: firewall questions
You're right. So 'accept' here only means that it stops processing the 'mangle' table, but doesn't also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet as it bypassing the main firewall?Mangle is for mangling packets. It has an accept action but not drop or reject.
Re: firewall questions
skip the mangle only, if not in a sub-chain (custom) it's the same as action 'return'You're right. So 'accept' here only means that it stops processing the 'mangle' table, but doesn't also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet as it bypassing the main firewall?Mangle is for mangling packets. It has an accept action but not drop or reject.
Re: firewall questions
As bajodel mentioned each table evaluated independently as each have a different function. If you look at the data flow diagrams at the link below helps it make more sense.
http://forum.mikrotik.com/viewtopic.php ... 49#p418449
http://forum.mikrotik.com/viewtopic.php ... 49#p418449