fbpx
Facebook f Twitter LinkedIn Youtube Instagram Whatsapp

Between Stateful and Stateless: Mastering the MikroTik Firewall

  • Share this article
Facebook
Twitter
LinkedIn
WhatsApp
Telegram

MikroTik provides firewall functionality that includes both Stateful rules and Stateless rules. The firewall implements stateful (through connection tracking) and stateless packet filtering and therefore provides security functions that are used to manage the flow of data to, from, and through the router. 

Along with Network Address Translation (NAT), it serves as a tool to prevent unauthorized access to directly connected networks and to the router itself, as well as a filter for outgoing traffic.

At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading

Go to Test

Stateful Firewall

These rules follow the state of connections, meaning that the firewall keeps track of the state of each connection and allows traffic based on the connection state. This is useful for allowing response traffic on connections initiated from within the network.

This allows them to make more informed decisions about which packets to allow or block, depending on the context of the connection. For example, a stateful firewall would allow a response packet to pass through a previously allowed request packet, even if the request packet itself is not explicitly included in the firewall rules.

Stateful offers enhanced security benefits as it can effectively prevent unauthorized access attempts and protect against phishing attacks.

They also provide better application-level filtering capabilities, allowing you to control which applications and protocols can communicate through the firewall.

Between Stateful and Stateless: Mastering the MikroTik Firewall

Stateless Firewall

These rules do not follow the state of connections and are applied independently to each packet. Each packet is filtered according to the criteria established by the rule, regardless of previous connections.

Stateless on the other hand, do not maintain a state table and only inspect individual packets based on their source and destination addresses, ports, and protocol headers.

They operate as packet filters, making decisions based solely on the information contained in each packet.

Difference between Stateful and Stateless Firewall

Feature

stateful firewall

Stateless Firewall

Connection tracking

 

Si

No

Security

 

Improved

Basic

Application level filtering

 

Granular

Limited

Performance

 

Lower

Higher

Consumption of resources

 

Higher

Lower

Suitability

 

Enterprise networks, sensitive applications

Home networks, high bandwidth environments

 

Examples of Stateless rules

In MikroTik RouterOS, stateless firewall rules are created without taking into account the state of the connections, that is, they are applied regardless of previous connections. Here are some examples of stateless rules that could be useful in certain scenarios:

1. Allow traffic from a specific IP address:

   /ip firewall filter add chain=forward src-address=192.168.1.100 action=accept

This rule allows traffic coming from the IP address 192.168.1.100 in the forwarding chain.

2. Allow traffic from a specific subnet:

   /ip firewall filter add chain=forward src-address=192.168.2.0/24 action=accept

This rule allows traffic from the 192.168.2.0/24 subnet in the forwarding chain.

3. Block traffic to a specific IP address:

   /ip firewall filter add chain=forward dst-address=203.0.113.10 action=drop

This rule blocks all traffic going to the IP address 203.0.113.10 in the forwarding chain.

These are just examples and you should adapt the rules based on your specific needs and your network topology. Also, keep in mind that these rules are stateless, so they do not take into account the state of previous connections.

Examples of Stateful rules

In MikroTik RouterOS, stateful firewall rules focus on the state of connections, meaning they allow or block traffic based on the connection state. Here are some examples of stateful rules:

1. Allow all outbound traffic and related responses:

   /ip firewall filter add chain=forward connection-state=established,related action=accept

This rule allows traffic that is part of an established or related connection in the forwarding chain.

2. Allow specific traffic from outside:

   /ip firewall filter add chain=forward in-interface=ether1 connection-state=new protocol=tcp dst-port=80 action=accept

This rule allows TCP traffic destined for port 80 from the outside through the ether1 interface in the forwarding chain.

3. Block Unsolicited Incoming Traffic:

   /ip firewall filter add chain=input connection-state=new action=drop

This rule blocks all incoming traffic that is not part of an established connection in the incoming chain.

4. Allow incoming ICMP traffic for ping requests:

   /ip firewall filter add chain=input connection-state=new protocol=icmp action=accept

This rule allows incoming ICMP traffic for ping requests in the inbound chain.

5. Block traffic to a specific port from outside:

   /ip firewall filter add chain=input in-interface=ether1 connection-state=new dst-port=22 action=drop

This rule blocks incoming traffic to port 22 (SSH) from the outside through the ether1 interface in the inbound chain.

 

These are just examples and you should adjust the rules based on your specific requirements and network configuration. Stateful rules are essential to allow necessary traffic and maintain security by blocking unwanted traffic.

Brief knowledge quiz

What do you think of this article?
Do you dare to evaluate your learned knowledge?

QUIZ - Between Stateful and Stateless: Mastering the MikroTik Firewall

Recommended book for this article

Tags: Cybersecurity, Packet filtering, stateful firewall, Stateless Firewall, Connection Management, MikroTik Firewall Rules, MikroTik RouterOS, Unauthorized Access Prevention, Networks and Routers, Network Security

Related Posts

Related Posts

Microlabs

Other topics that may interest you

Do you want to suggest a topic?

Every week we post new content. Do you want us to talk about something specific?
Topic for the next blog

Upcoming online courses

MikroTik Books (Spanish)

Leave a comment

Your email address will not be published. Required fields are marked with *

ABC Xperts color logo

Follow Us

Facebook f Twitter LinkedIn Youtube Instagram

About Us

Headquarters

Av. Juan T. Marengo and J. Orrantia

Professional Center Building, Office 507

Guayaquil. Ecuador

Zip Code 090505

Contact

Subscribe

to our weekly newsletters

Newsletter

MikroTik Books

Certification Courses

NAS series

Network Administration Specialist

UAS Series

Ubiquiti Equipment Management Specialist

MAS Series

MikroTik Administration Specialist

NAE Series

Network Administration Engineer

MAE Series

MikroTik Administration Engineer

MikroTik Certifications

Security

Cybersecurity
Security of the information
  • SIN-NSI
    Information security regulations How to implement? (soon)

Data Science

Python

Copyright © 2024 abcxperts.com – All Rights Reserved

Developed by Network Xperts SA

DISCOUNT CODE

AN24-LIB

applies to MikroTik books and book packs

Register for the Introduction to Advanced Routing OSPF BGP MPLS course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Introduction to
OSPF - BGP - MPLS

Sign up for this Free course

MAE-RAV-ROS-240118
(MAS-ROS) Free Introduction to MikroTik RouterOS version 7 course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAS-ROS-240111

Promo for Three Kings Day!

KINGS24

15%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the Three Kings Day discount code!

* promotion valid until Sunday January 7, 2024
** the code (KINGS24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

New Year's Eve Promo!

NY24

20%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the New Year's Eve discount code!

* promotion valid until Monday, January 1, 2024
** the code (NY24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

Christmas discounts!

XMAS23

30%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the discount code for Christmas!!!

**codes are applied in the shopping cart
Promo valid until Monday December 25, 2023

CYBER WEEK DISCOUNTS

CW23-MK

17%

all MikroTik OnLine courses

CW23-AX

30%

all Academy courses

CW23-LIB

25%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Cyber ​​Week!!!

**codes are applied in the shopping cart
Promo valid until Sunday December 3, 2023

BLACK FRIDAY DISCOUNTS

BF23-MX

22%

all MikroTik OnLine courses

BF23-AX

35%

all Academy courses

BF23-LIB

30%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Black Friday!!!

**Codes are applied in the shopping cart

codes are applied in the shopping cart
valid until Sunday November 26, 2023

MikroTik VPN Webinar with ZeroTier

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAE-VPN-SET-231115

Halloween promo

Take advantage of discount codes for Halloween.

Codes are applied in the shopping cart

HW23-MK

11% discount on all MikroTik OnLine courses

11%

HW23-AX

30% discount on all Academy courses

30%

HW23-LIB

25% discount on all MikroTik Books and Book Packs

25%

close menu icon

Register and participate in the free course Introduction to Advanced Routing with MikroTik (MAE-RAV-ROS)

Today (Wednesday) October 11, 2023
7pm to 11pm (Colombia, Ecuador, Peru)

MAE-RAV-ROS-231011