MikroTik RouterOS has a very powerful firewall implementation.
It is enabled by default and contains that rules that allow to ping to your MikroTik router from outside, access it from LAN and drop everything from WAN.
This short note shows how to list firewall rules on a MikroTik router through the WinBox/WinFig interface or from the command line.
Cool Tip: Simple MikroTik WiFi configuration! Read more →
List Firewall Rules in MikroTik
To print the MikroTik firewall filter rules from the command line, log in to the MikroTik router over SSH and execute the commands below, depending on a protocol:
[admin@MikroTik] > /ip firewall filter print [admin@MikroTik] > /ipv6 firewall filter print - sample output - Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 2 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 3 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp 4 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 5 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN ...
To list the MikroTik firewall filter rules through the WinBox/WinFig interface, open the “IP” or “IPv6” menu and click on the “Firewall“:
To get more detailed information about all the MikroTik firewall settings and to see the commands that have been used to configure the firewall, execute:
[admin@MikroTik] > /ip firewall export verbose [admin@MikroTik] > /ipv6 firewall export verbose