MikroTik

Posted: **Fri Jan 02, 2015 5:58 pm**

A few firewall questions

a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'?

b) What is the 'hotspot' match in both mangle/filter? The wiki only says:

hotspot (auth | from-client | http | local-dst | to-client; Default: )

without explanation. Could 'auth' mean: authenticated firewall traffic? What about the other options?

Posted: **Fri Jan 02, 2015 6:04 pm**

two more:

a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy

b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?

The default config contains:

8 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""

9 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=G1-world log=no log-prefix=""

What is 'connection-nat-state' ? The wiki doesn't say either

Posted: **Sat Jan 03, 2015 12:05 am**

See inline for a few answers.

A few firewall questions

a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'?

Mangle is for mangling packets. It has an accept action but not drop or reject.

b) What is the 'hotspot' match in both mangle/filter? The wiki only says:

hotspot (auth | from-client | http | local-dst | to-client; Default: )

without explanation. Could 'auth' mean: authenticated firewall traffic? What about the other options?

I believe you are correct on this one. If you create a hotspot you will see a number of auto generated rules which use these different states to create jump actions. Most of the time you will not need to match these states on your own.

a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy

In my experience it means connection-state=!(established,related).

b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?

Its a unique state or at least one that still allows new through. I have my invalid drop rule at the very top right below the established,related allow rule. My new traffic still makes its way through the appropriate rules.

What is 'connection-nat-state' ? The wiki doesn't say either.

This along with the connection state checkboxes are new as of ROS 6.22. The release notes offer the following insight:

*) improved connection-state matcher in firewall - can match multiple states in one rule, supports negation;
*) added connection-nat-state matcher - can match connections that are srcnatted,dstnatted or both;

Think of it as a way to create a allow all rule for dst-nat or src-nat traffic with out needing to generate both the NAT table rule and the filter table rule

Posted: **Sat Jan 03, 2015 5:47 pm**

Mangle is for mangling packets. It has an accept action but not drop or reject.

You're right. So 'accept' here only means that it stops processing the 'mangle' table, but doesn't also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet as it bypassing the main firewall?

Posted: **Sat Jan 03, 2015 7:14 pm**

Mangle is for mangling packets. It has an accept action but not drop or reject.
You're right. So 'accept' here only means that it stops processing the 'mangle' table, but doesn't also skip the normal firewall tables (so there is still a chance to drop it? Or does that make it just accept the packet as it bypassing the main firewall?

skip the mangle only, if not in a sub-chain (custom) it's the same as action 'return'

Posted: **Sat Jan 03, 2015 11:23 pm**

As bajodel mentioned each table evaluated independently as each have a different function. If you look at the data flow diagrams at the link below helps it make more sense.

http://forum.mikrotik.com/viewtopic.php ... 49#p418449

MikroTik

firewall questions

firewall questions

Re: firewall questions

Re: firewall questions

Re: firewall questions

Re: firewall questions

Re: firewall questions