If there are both clients with local IPs and servers with public IPs behind your router, you need two rules, one with both chains. If it is in front of your office or home, it should be chain=input. If your router is protecting servers, the established/related rule should be chain=forward. As a MikroTik stops processing rules further down the list, whenever a rule is found to be true, you can bypass all subsequent rules and minimize CPU usage for all established/related packets, by putting this rule at the top of your firewall list. Therefore it is usually wise to begin your firewall rules with an input/forward accept rule for all connection-state=established/related.
an FTP connection opening another data port), we want to accept all the packets. But for all subsequent packets in the same connection, we don't need to check them as the connection have already been checked, so for all connections already established (or related, that is ex.
For all new connections, we need to check all our rules, to see if we want the connection to go through. Routers therefore use connection tracking, to check the connection state. In your firewall - especially on a core device like your router - you need to minimize the amount of checks, as each check requires precious CPU power. You can also reject the packet, that is delete the packet and tell the sender that you deleted it, but by doing that you are really aiding any malicious sender, by letting them know that there is a device here. So it is generally not recommended to reject, just drop it. Drop will also stop processing any more rules, and delete (drop) the packet without letting the sender know that the packet is dropped. Accept will stop processing any more rules and let the packet through. You either accept the packets or you drop the packets. If you forget the in-interface, the drop rule will affect all packets going both in and out, and probably stop a lot of things on your clients from working, as you primarily want only to drop traffic from the outside getting in. If it doesn't meet any rules that are true, the packet is accepted, you should therefore end the list with a drop rule with in-interface set to your internet interface.
In a very basic server environment, on the forward chain you will want to accept ports like 80+443 (web) for everyone, accept 22+3389 (ssh/rdp) for yourself, and drop the rest of the packets.Ī MikroTik router processes rules from the top to the bottom and stops processing more rules, whenever it finds a rule that is true for the packet. In a server environment, the forward chain is therefore what you use the most. The forward chain is for all packets going through the router - being forwarded to a public IP either inside or outside of the router. The output chain is for packets with a source IP on the router, meaning all packets originating on the router will be checked with the output chain. If you are using the router as DNS server for your local network, it's DNS requests will be using the output chain. Packets with a destination ip on the router (see /ip addresses for a list) will be checked with the input chain, so for the router itself or if you have local devices where public IPs are port forwarded to a NATed IP, you need to use the input chain. Your MikroTik router have 3 main chains for rules: Input, Output and Forward.
0 kommentar(er)
