MikroTik: List Firewall Rules

MikroTik RouterOS has a very powerful firewall implementation.

It is enabled by default and contains that rules that allow to ping to your MikroTik router from outside, access it from LAN and drop everything from WAN.

This short note shows how to list firewall rules on a MikroTik router through the WinBox/WinFig interface or from the command line.

Cool Tip: Simple MikroTik WiFi configuration! Read more →

List Firewall Rules in MikroTik

To print all the MikroTik firewall rules from the command line, log in to the MikroTik router over SSH and execute:

[admin@MikroTik] > /ip firewall filter print
- sample output -
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN
...

To list the MikroTik firewall rules through the WinBox/WinFig interface, go to the “IP” and click on the “Firewall“:

Leave a Reply