Community discussions

MikroTik App
 
5009Owner
newbie
Topic Author
Posts: 34
Joined: Sun Jan 09, 2022 9:09 am

The order of firewall rules

Thu Oct 27, 2022 9:17 am

There is one thing I'm wondering. Well, just now.
The "drop invalid" rule.
Many configuration put this rule as a second or third rule in the chain. Usually first rule is "accept established,related,untracked".
I understand these rules work in order, first rule, second rule and so on.
Now, first rule "accept established,related,untracked" let traffic flow if traffic is "established,related,untracked". And firewall does not check following rules anymore?
What if this traffic "established,related,untracked" contain something "invalid"? Is it checked by firewall at all?
Should "drop invalid" be the first rule?

Another thing, does this "drop invalid" really need all this: viewtopic.php?t=83387 ? (How to ***really*** block invalid ICMP, TCP, UDP packets and others (ver. 2021))
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: The order of firewall rules

Thu Oct 27, 2022 3:29 pm

No.
Please read viewtopic.php?t=180838
 
Sob
Forum Guru
Forum Guru
Posts: 9049
Joined: Mon Apr 20, 2009 9:11 pm

Re: The order of firewall rules

Thu Oct 27, 2022 9:14 pm

TL;DR, connection tracking recognizes five states and each packet can have only one. If it's established, it can't be invalid. There are more established/related/untracked packets than invalid, so that's why that rule is first.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: The order of firewall rules

Thu Oct 27, 2022 11:01 pm

As per the link to make invalid rule have more teeth ensure tcp connection tracking is set to strict (do not check box for loose tracking).

( ip firewall connections tracking )
 
5009Owner
newbie
Topic Author
Posts: 34
Joined: Sun Jan 09, 2022 9:09 am

Re: The order of firewall rules

Fri Oct 28, 2022 8:40 am

Ok, that make sense. I lost my focus and I didn't realise that packet can have only one state. I'm quite happy to have Mikrotik router because all problems are solved sooner or later here in the forum.
 
paulz
just joined
Posts: 12
Joined: Wed May 25, 2022 1:25 pm

Re: The order of firewall rules

Fri Oct 28, 2022 12:47 pm

Do you have a "drop everything else" kind of rule in the final? If you have, why bother?

BTW: You should be the happiest by being the owner of a RB5009, not just "quite happy". ;)
 
5009Owner
newbie
Topic Author
Posts: 34
Joined: Sun Jan 09, 2022 9:09 am

Re: The order of firewall rules

Fri Oct 28, 2022 2:12 pm

Yes of course I have "drop everything" in the end of the chains. Just making things clear to me.
My state of happiness is now elevated to the top.
Last edited by 5009Owner on Fri Oct 28, 2022 3:36 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: The order of firewall rules

Fri Oct 28, 2022 2:12 pm

Do you have a "drop everything else" kind of rule in the final? If you have, why bother?

BTW: You should be the happiest by being the owner of a RB5009, not just "quite happy". ;)
Dont go overboard with emotions about an inanimate object there paulz. ;-)
 
mkx
Forum Guru
Forum Guru
Posts: 8970
Joined: Thu Mar 03, 2016 10:23 pm

Re: The order of firewall rules

Fri Oct 28, 2022 3:50 pm

Do you have a "drop everything else" kind of rule in the final? If you have, why bother?

It's not the same actually.

Imagine this scenario: you have the usual sequence of firewall filter rules:
  1. accept established,related,untracked
  2. accept connections for your service (e.g. protocol=tcp dst-port=80)
  3. drop everything

So if some malicious device sent a packet, targeting your HTTP server, but would be invalid according to firewall's connection tracking machinery, the filter rule set above would still allow such malicious packet to be forwarded to server behind firewall. If there's a "drop invalid" rule right after rule #1 above (or even as absolute first rule), then the malicious packet wouldn't reach backend server.
 
5009Owner
newbie
Topic Author
Posts: 34
Joined: Sun Jan 09, 2022 9:09 am

Re: The order of firewall rules

Fri Oct 28, 2022 6:27 pm

So in the case of 5009, I believe it have enough cpu power to handle traffic if "drop invalid" is the first rule ( it will check all the packets for "invalid")? But I think I will keep it as a second rule. I don't want to push my nice router even close to the limits...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14520
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: The order of firewall rules

Fri Oct 28, 2022 6:41 pm

So in the case of 5009, I believe it have enough cpu power to handle traffic if "drop invalid" is the first rule ( it will check all the packets for "invalid")? But I think I will keep it as a second rule. I don't want to push my nice router even close to the limits...
Many people use far lesser powered routers with the same ruleset with no degradation in performance.
So keep it as is.

input chain
(default rules)
1 accept, established
2 drop invalid
3 allow icmp
4(admin rules)
5 drop all else.

Who is online

Users browsing this forum: Amazon [Bot], k6ccc, pinkviolette and 30 guests