MikroTik: List Firewall Rules

MikroTik RouterOS has a very powerful firewall implementation.

It is enabled by default and contains that rules that allow to ping to your MikroTik router from outside, access it from LAN and drop everything from WAN.

This short note shows how to list firewall rules on a MikroTik router through the WinBox/WinFig interface or from the command line.

Cool Tip: Simple MikroTik WiFi configuration! Read more →

List Firewall Rules in MikroTik

To print the MikroTik firewall filter rules from the command line, log in to the MikroTik router over SSH and execute the commands below, depending on a protocol:

[admin@MikroTik] > /ip firewall filter print
[admin@MikroTik] > /ipv6 firewall filter print
- sample output -
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

To list the MikroTik firewall filter rules through the WinBox/WinFig interface, open the “IP” or “IPv6” menu and click on the “Firewall“:

To get more detailed information about all the MikroTik firewall settings and to see the commands that have been used to configure the firewall, execute:

[admin@MikroTik] > /ip firewall export verbose
[admin@MikroTik] > /ipv6 firewall export verbose
Was it useful? Share this post with the world!

Leave a Reply