Administrace komentářů

firewall,info invalid forward: in:LAN out:pppoe-out1, src-mac XXXX, proto TCP (ACK,FIN), XXX.XXX.XXX.XXX:56872->185.14.116.10:80, len 40

20:15:30 firewall,info invalid forward: in:LAN out:pppoe-out1, src-mac XXXX, proto TCP (RST), XXX.XXX.XXX.XXX:53024->31.13.84.36:443, len 40

20:15:42 firewall,info invalid forward: in:LAN out:pppoe-out1, src-mac XXXX, proto TCP (ACK,FIN), XXX.XXX.XXX.XXX:56872->185.14.116.10:80, len 40

20:16:12 firewall,info invalid forward: in:LAN out:pppoe-out1, src-mac XXXX, proto TCP (ACK,FIN), XXX.XXX.XXX.XXX:56872->185.14.116.10:80, len 40

Flags: X - disabled, I - invalid, D - dynamic

0 D ;;; special dummy rule to show fasttrack counters

chain=forward action=passthrough

1 ;;; default configuration

chain=input action=accept connection-state=established,related

2 chain=input action=accept src-address-list=allowed_to_router

3 chain=input action=accept protocol=icmp

4 ;;; FastTrack

chain=forward action=fasttrack-connection connection-state=established,related

5 ;;; Established, Related

chain=forward action=accept connection-state=established,related

6 chain=input action=drop

7 ;;; Drop invalid

chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid"

8 ;;; Drop tries to reach not public addresses from LAN

chain=forward action=drop dst-address-list=not_in_internet in-interface=LAN out-interface=!LAN log=yes log-prefix="!public_from_LAN"

9 ;;; Drop incoming packets that are not NATted

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes log-prefix="!NAT"

10 ;;; Drop incoming from internet which is not public IP

chain=forward action=drop src-address-list=not_in_internet in-interface=ether1 log=yes log-prefix="!public"

11 ;;; Drop packets from LAN that do not have LAN IP

chain=forward action=drop src-address=!XXX.XXX.XXX.0/24 in-interface=LAN log=yes log-prefix="LAN_!LAN"