Routers therefore use connection tracking, to check the connection state. In your firewall - especially on a core device like your router - you need to minimize the amount of checks, as each check requires precious CPU power.
You can also reject the packet, that is delete the packet and tell the sender that you deleted it, but by doing that you are really aiding any malicious sender, by letting them know that there is a device here. So it is generally not recommended to reject, just drop it.
Drop will also stop processing any more rules, and delete (drop) the packet without letting the sender know that the packet is dropped. Accept will stop processing any more rules and let the packet through. You either accept the packets or you drop the packets. If you forget the in-interface, the drop rule will affect all packets going both in and out, and probably stop a lot of things on your clients from working, as you primarily want only to drop traffic from the outside getting in. If it doesn't meet any rules that are true, the packet is accepted, you should therefore end the list with a drop rule with in-interface set to your internet interface. In a very basic server environment, on the forward chain you will want to accept ports like 80+443 (web) for everyone, accept 22+3389 (ssh/rdp) for yourself, and drop the rest of the packets.Ī MikroTik router processes rules from the top to the bottom and stops processing more rules, whenever it finds a rule that is true for the packet. In a server environment, the forward chain is therefore what you use the most. The forward chain is for all packets going through the router - being forwarded to a public IP either inside or outside of the router. The output chain is for packets with a source IP on the router, meaning all packets originating on the router will be checked with the output chain. If you are using the router as DNS server for your local network, it's DNS requests will be using the output chain. Packets with a destination ip on the router (see /ip addresses for a list) will be checked with the input chain, so for the router itself or if you have local devices where public IPs are port forwarded to a NATed IP, you need to use the input chain. Your MikroTik router have 3 main chains for rules: Input, Output and Forward.
0 kommentar(er)
