I am using Mikrotik RouterOS on a Mikrotik router.
There is a server in my network from which every outgoing connection using every protocol should be disabled. I achieved this with a following rule:
/ip firewall filter
action=drop chain=forward out-interface=ether1-gateway src-mac-address=XX:XX:XX:XX:XX:XX
where XX:XX:XX:XX:XX:XX is the MAC address of server's NIC.
Now I wanted to enable an access from Internet to this server only on specific TCP port. I created a NAT rule for that:
/ip firewall nat
chain=dstnat action=netmap to-addresses=A.A.A.A to-ports=8912 protocol=tcp dst-address-type=local dst-port=8912
where A.A.A.A is server's IP address in the LAN.
Then I tried to connect to the router from outside over TCP port 8912 became no response, but noticed that the first rule was triggered.
After that I placed another firewall rule just before the first rule to always enable ACK from server:
/ip firewall filter
chain=forward action=accept tcp-flags=ack protocol=tcp out-interface=ether1-gateway src-mac-address=XX:XX:XX:XX:XX:XX
and everything worked.
Is it a good/bad idea always to enable TCP ACK from server? What are the drawbacks?