...

• NEW - The NEW state tells us that the packet is the first packet that we see. This means that the first packet that the conntrack module sees, within a specific connection, will be matched. For example, if we see an SYN packet and it is the first packet in a connection that we see, it will match;
• ESTABLISHED - The ESTABLISHED state has seen traffic in both directions and will then continuously match those packets. ESTABLISHED connections are fairly easy to understand. The only requirement to get into an ESTABLISHED state is that one host sends a packet and that it, later on, gets a reply from the other host. The NEW state will upon receipt of the reply packet to or through the firewall change to the ESTABLISHED state;
• RELATED - A connection is considered RELATED when it is related to another already ESTABLISHED connection. For a connection to be considered as RELATED, we must first have a connection that is considered ESTABLISHED. The ESTABLISHED connection will then spawn a connection outside of the main connection. The newly spawned connection will then be considered RELATED, for example, a packet that begins the FTP data connection;
• INVALID - The INVALID state means that the packet can't be identified or that it does not have any state.  It is suggested to DROP everything in this state;
• UNTRACKED - A packet that was set to bypass connection tracking in the Firewall RAW table;

Filters

Firewall filters are used to allow or block specific packets forwarded to your local network, originated from your router or destined to the router.

There are two methods on how to set up filtering:

• allow specific traffic and drop everything else
• drop only malicious traffic, everything else is allowed.

Both methods have pros and cons, for example, from a security point of view first method is much more secure, but requires administrator input whenever traffic for new service needs to be accepted. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.

On the other hand, when securing a customer network it would be an administrative nightmare to accept all possible services that users may use. Therefore careful planning of the firewall is essential in advanced setups.

A firewall filter consists of three predefined chains that cannot be deleted:

Image Removed

• input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
• forward - used to process packets passing through the router
• output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the built-in chain, then it is accepted.  More detailed packet processing in RouterOS are described in the Packet Flow in RouterOS diagram.

Configuration Example

Let's look at the basic firewall setup to protect the router. By default RouterOS firewall accepts everything, blocking is achieved by adding filter rule to drop everything at the end of all rules. For out router we want to allow only ICMP, ssh and winbox and drop the rest:

...