Firewall Filter Rules
Firewall Filter Rules
Section titled “Firewall Filter Rules”The RouterOS firewall filter is the primary mechanism for controlling which packets are allowed to pass through or enter the router. Rules in the filter table are evaluated in order — the first matching rule determines the outcome. Understanding chains, actions, and connection tracking states is essential for building correct and efficient firewall policies.
Quick Start
Section titled “Quick Start”Minimal stateful firewall protecting the router itself and forwarded traffic:
/ip firewall filter
# Drop invalid packets earlyadd chain=input connection-state=invalid action=drop comment="drop invalid input"add chain=forward connection-state=invalid action=drop comment="drop invalid forward"
# Accept established and related (return traffic)add chain=input connection-state=established,related action=accept comment="accept established/related input"add chain=forward connection-state=established,related action=accept comment="accept established/related forward"
# Accept ICMP (ping, traceroute, etc.)add chain=input protocol=icmp action=accept comment="accept ICMP input"
# Accept new connections from LAN to internetadd chain=forward in-interface=ether2 connection-state=new action=accept comment="accept LAN new forward"
# Drop everything elseadd chain=input action=drop comment="drop all other input"add chain=forward action=drop comment="drop all other forward"Chains
Section titled “Chains”RouterOS firewall filter uses three built-in chains. Each chain processes packets at a different point in the packet flow.
| Chain | Processes | Typical Use |
|---|---|---|
| input | Packets destined for the router itself | Protect router management access |
| forward | Packets routed through the router | Control LAN-to-WAN, inter-VLAN traffic |
| output | Packets originating from the router | Rarely needed; restrict router-generated traffic |
input Chain
Section titled “input Chain”The input chain processes packets whose destination is the router itself — management traffic (Winbox, SSH, HTTP, SNMP), DNS queries to the router, ICMP pings to router interfaces.
# Allow Winbox only from management network/ip firewall filter add chain=input protocol=tcp dst-port=8291 \ src-address=192.168.100.0/24 action=accept comment="allow Winbox from mgmt"
# Allow SSH only from trusted host/ip firewall filter add chain=input protocol=tcp dst-port=22 \ src-address=192.168.100.10 action=accept comment="allow SSH from admin"forward Chain
Section titled “forward Chain”The forward chain processes packets that enter one interface and exit another. This is where LAN-to-internet and inter-VLAN policies are enforced.
# Allow LAN to internet/ip firewall filter add chain=forward in-interface=bridge-lan \ out-interface=ether1-wan action=accept comment="LAN to WAN"
# Block LAN from reaching a restricted VLAN/ip firewall filter add chain=forward in-interface=bridge-lan \ dst-address=10.10.20.0/24 action=drop comment="no access to restricted VLAN"output Chain
Section titled “output Chain”The output chain processes packets that originate from the router itself. This is rarely needed in typical deployments.
# Log all router-originated traffic to a specific host (diagnostic use)/ip firewall filter add chain=output dst-address=203.0.113.5 \ action=log log-prefix="router-to-host"Custom Chains
Section titled “Custom Chains”You can create custom chains and use jump to send traffic to them. This improves readability and allows reuse of logic.
# Jump to a custom chain/ip firewall filter add chain=forward connection-state=new \ action=jump jump-target=new-conn-policy
# Rules in the custom chain/ip firewall filter add chain=new-conn-policy src-address=10.0.0.0/8 \ action=accept
/ip firewall filter add chain=new-conn-policy action=drop
# Use 'return' to exit back to the calling chain without a match/ip firewall filter add chain=new-conn-policy protocol=tcp dst-port=443 \ action=returnActions
Section titled “Actions”Each filter rule specifies one action to take when a packet matches.
| Action | Effect |
|---|---|
| accept | Allow the packet; stop processing rules in this chain |
| drop | Silently discard the packet; stop processing |
| reject | Discard and send ICMP unreachable back to sender |
| log | Log the packet, then continue to the next rule |
| passthrough | Like log — count the packet, continue to next rule |
| jump | Transfer processing to a named custom chain |
| return | Exit the current chain, resume in the calling chain |
| fasttrack | Mark connection for FastTrack acceleration; bypass further processing |
| add-src-to-address-list | Add source address to an address list |
| add-dst-to-address-list | Add destination address to an address list |
| tarpit | Hold TCP connections open to exhaust attacker resources |
accept vs. drop vs. reject
Section titled “accept vs. drop vs. reject”# accept — allow traffic silently/ip firewall filter add chain=forward src-address=192.168.1.0/24 action=accept
# drop — silently discard (preferred for security; gives no information to attacker)/ip firewall filter add chain=input action=drop
# reject — discard and notify sender (use for internal networks where feedback is useful)/ip firewall filter add chain=forward dst-address=10.0.0.5 \ action=reject reject-with=icmp-admin-prohibitedreject-with options: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-admin-prohibited, tcp-reset.
log Action
Section titled “log Action”log is a non-terminating action — it records the packet and continues evaluating rules.
# Log and then drop/ip firewall filter add chain=input src-address=203.0.113.0/24 \ action=log log-prefix="blocked-src" log-limit=10/1s
/ip firewall filter add chain=input src-address=203.0.113.0/24 \ action=dropUse log-limit to prevent log flooding. Format is count/time (e.g., 10/1s = 10 log entries per second).
fasttrack Action
Section titled “fasttrack Action”FastTrack bypasses most firewall processing for established/related connections, offloading them to a faster path.
/ip firewall filter add chain=forward connection-state=established,related \ action=fasttrack connection-mark=no-mark comment="FastTrack established"
/ip firewall filter add chain=forward connection-state=established,related \ action=accept comment="accept established (post-FastTrack)"Connection Tracking
Section titled “Connection Tracking”Connection tracking maintains a state table of active network connections, allowing the firewall to make decisions based on the state of a flow rather than inspecting each packet independently.
States
Section titled “States”| State | Meaning |
|---|---|
| new | First packet of a connection not yet in the tracking table |
| established | Packet belongs to a connection that has seen traffic in both directions |
| related | Packet related to an existing connection (e.g., FTP data channel, ICMP errors for a TCP flow) |
| invalid | Packet does not match any known connection and cannot be identified |
| untracked | Connection tracking bypassed (RAW table notrack action) |
Using connection-state Matcher
Section titled “Using connection-state Matcher”# Match multiple states with a comma-separated list/ip firewall filter add chain=forward \ connection-state=established,related action=accept
# Match a single state/ip firewall filter add chain=input \ connection-state=new protocol=tcp dst-port=22 action=accept
# Drop invalid packets (should appear early in ruleset)/ip firewall filter add chain=input connection-state=invalid action=dropWhy Drop invalid?
Section titled “Why Drop invalid?”Packets marked invalid do not belong to any tracked connection and cannot be classified. They may indicate:
- Port scans sending unexpected ACK/RST packets
- IP spoofing
- Misconfigured NAT
- Out-of-order packets from asymmetric routing
Always drop invalid packets as the first rule (or early) in your filter chains.
Viewing the Connection Table
Section titled “Viewing the Connection Table”# Print all tracked connections/ip firewall connection print
# Filter by state/ip firewall connection print where connection-state=established
# Print with details (protocol, addresses, ports, timeout)/ip firewall connection print detail
# Flush all connections (caution — drops all active sessions)/ip firewall connection remove [find]Connection Tracking Settings
Section titled “Connection Tracking Settings”# View current settings/ip firewall connection tracking print
# Disable connection tracking (advanced — breaks NAT and stateful filtering)/ip firewall connection tracking set enabled=no
# Adjust TCP timeout for established connections (default: 1 day)/ip firewall connection tracking set tcp-established-timeout=1d
# UDP timeout (default: 10 seconds for stream, 30s for others)/ip firewall connection tracking set udp-stream-timeout=1mDisabling connection tracking prevents all stateful matching (connection-state, connection-mark, NAT). Only disable if you understand the full impact.
Rule Evaluation Order
Section titled “Rule Evaluation Order”Rules are evaluated top to bottom. The first matching rule’s action is applied; subsequent rules are not checked (for terminating actions like accept, drop, reject). Order matters significantly.
Recommended Ordering
Section titled “Recommended Ordering”1. Drop invalid (early exit — no state to track)2. Accept established/related (bulk of return traffic — fast exit)3. Accept loopback/ICMP (if applicable)4. Specific accept rules for new connections5. Drop-all (default deny)Viewing and Reordering Rules
Section titled “Viewing and Reordering Rules”# Print rules with rule numbers/ip firewall filter print
# Move rule #5 before rule #2/ip firewall filter move 5 destination=2
# Enable/disable a rule without removing it/ip firewall filter disable 3/ip firewall filter enable 3Rule Statistics
Section titled “Rule Statistics”# Show hit counts and bytes per rule/ip firewall filter print stats
# Reset stats/ip firewall filter reset-counters [find]Rules with zero hits may be unreachable (shadowed by earlier rules) or never triggered.
Practical Rulesets
Section titled “Practical Rulesets”Basic Router Protection (input chain)
Section titled “Basic Router Protection (input chain)”/ip firewall filter
# Drop invalidadd chain=input connection-state=invalid action=drop comment="drop invalid"
# Accept established/relatedadd chain=input connection-state=established,related action=accept \ comment="accept established/related"
# Accept ICMPadd chain=input protocol=icmp action=accept comment="accept ICMP"
# Accept from loopbackadd chain=input in-interface=lo action=accept comment="accept loopback"
# Management access (restrict to admin network)add chain=input protocol=tcp dst-port=22,8291,80,443 \ src-address=192.168.100.0/24 action=accept comment="allow mgmt from admin net"
# Drop everything elseadd chain=input action=drop comment="drop all input"Stateful LAN Firewall (forward chain)
Section titled “Stateful LAN Firewall (forward chain)”/ip firewall filter
# Drop invalidadd chain=forward connection-state=invalid action=drop comment="drop invalid forward"
# FastTrack established (optional, performance)add chain=forward connection-state=established,related \ action=fasttrack connection-mark=no-mark comment="FastTrack"
# Accept established/relatedadd chain=forward connection-state=established,related \ action=accept comment="accept established/related"
# Accept new from LAN to WANadd chain=forward in-interface=bridge-lan out-interface=ether1-wan \ connection-state=new action=accept comment="LAN to WAN new"
# Drop all other forwardadd chain=forward action=drop comment="drop all other forward"Anti-Spoofing
Section titled “Anti-Spoofing”/ip firewall filter
# Drop packets claiming to be from LAN arriving on WANadd chain=forward in-interface=ether1-wan \ src-address=192.168.0.0/16 action=drop comment="anti-spoof LAN range"
add chain=forward in-interface=ether1-wan \ src-address=10.0.0.0/8 action=drop comment="anti-spoof RFC1918"
add chain=forward in-interface=ether1-wan \ src-address=172.16.0.0/12 action=drop comment="anti-spoof RFC1918"Port Blocking
Section titled “Port Blocking”/ip firewall filter
# Block SMB from reaching WANadd chain=forward out-interface=ether1-wan \ protocol=tcp dst-port=139,445 action=drop comment="block SMB to WAN"
# Block incoming Telnet from WANadd chain=input in-interface=ether1-wan \ protocol=tcp dst-port=23 action=drop comment="block Telnet from WAN"Matchers Reference
Section titled “Matchers Reference”Common matchers used in firewall filter rules:
| Matcher | Example | Description |
|---|---|---|
chain | chain=forward | Which chain the rule applies to |
connection-state | connection-state=new,established | Connection tracking state |
protocol | protocol=tcp | IP protocol (tcp, udp, icmp) |
src-address | src-address=192.168.1.0/24 | Source IP or subnet |
dst-address | dst-address=10.0.0.1 | Destination IP or subnet |
src-port | src-port=1024-65535 | Source port or range |
dst-port | dst-port=80,443 | Destination port or comma list |
in-interface | in-interface=ether1 | Incoming interface |
out-interface | out-interface=ether2 | Outgoing interface |
src-address-list | src-address-list=blocklist | Match against address list |
connection-mark | connection-mark=voip | Match connections marked by mangle |
tcp-flags | tcp-flags=syn | TCP flag matching |
limit | limit=10,5:packet | Rate limiting matcher |
Troubleshooting
Section titled “Troubleshooting”Rules Not Matching
Section titled “Rules Not Matching”# Check rule order and hit counts/ip firewall filter print stats
# Trace a packet through the firewall (RouterOS 7+)/tool/packet-sniffer quick interface=ether1 ip-address=203.0.113.1
# Check if connection tracking is enabled/ip firewall connection tracking printUnexpected Drops
Section titled “Unexpected Drops”# Add a temporary log rule before the drop-all to see what's being dropped/ip firewall filter add chain=input action=log log-prefix="INPUT-DROP" place-before=[find action=drop chain=input]
# Watch the log/log print follow where topics~"firewall"Remove the log rule after diagnosis.
High CPU from Firewall
Section titled “High CPU from Firewall”FastTrack established/related connections to bypass full rule evaluation:
/ip firewall filter add chain=forward connection-state=established,related \ action=fasttrack connection-mark=no-mark place-before=0Check for rules with broad matchers early in the chain that force all packets through slow processing.
Related Topics
Section titled “Related Topics”- Packet Flow in RouterOS — How packets traverse chains
- DDoS Protection — Rate limiting with dst-limit
- Brute Force Prevention — Address list blocking
- Port Knocking — Dynamic rule activation