Ill take a stab at it..
This being a Forward rule means that anything that passes through the
router or interface.
Every packet out of the SFP interface except public ips coming to the SFP.
So if a packet that has a rfc1918 in it destined to the sfp to be natted
or dest- natted then drop.
if your worried about rfc1918 space trying to route then use this
add action=drop chain=forward comment="Drop ip fragmentation"
connection-state=invalid
On 4/25/2017 6:38 PM, Jason McKemie wrote:
Can anyone see why this firewall rule would just be dropping all traffic?
add action=drop chain=forward comment="Drop Spoofed Traffic"
disabled=yes \
out-interface=sfp1 src-address-list=!Public-IPs
It's disabled here obviously, but other than that...
--
