Yes! That's my guess too ;) Definitely worth fixing the rules - will deliver some cpu relief at the very least ;) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 8 May 2020 12:10 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] empty connection-state value in filter rule?
On Fri, 2020-05-08 at 10:52 +1000, Mike Everest wrote:
A quick test proves that connection-state="" is the same as connection-state=invalid,established,related,new,untracked [...] If so, then the resulting behaviour would match your observations, since the rules will match all packets, including 'new' - and your other rules that explicitly relate to 'established' work to maintain valid connections (because it only takes one 'new' input packet to create an established connection)
I will have to think on that ... if that's the case, why don't all SSH connections end up blocked after four packets? Ah - because my "established" rule is processed before my blacklist rules! OK, makes sense.
Thanks! But I think I will still fix up those rules. With a deal more confidence :-)
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au