Do you have an allow established rule before this rule? Having the allow established rule will continue to allow those bad connections until you move the drop rule above it or restart the router.
-Louis On Tue, Dec 17, 2013 at 11:19 AM, Rory McCann <[email protected]> wrote: > Can someone explain to me why the following firewall rule isn't working: > > /add action=drop chain=forward comment="SQL Access" dst-address=1.2.3.4 > dst-port=1433 protocol=tcp src-address-list=!SQL/ > > From what I understand, this rule should drop SQL traffic from any address > not in the SQL address list, correct? > > My corresponding NAT rule is this: > > /add action=dst-nat chain=dstnat comment="My Farm Records - SQL Access" > dst-address=1.2.3.4 dst-port=1433 protocol=tcp to-addresses=10.2.7.7 > to-ports=1433/ > > It seems as though the NAT rule was taking precedence over the Firewall > rule. My SQL server was getting hammered with invalid logins until I added a > src-addrerss-list entry to the NAT rule as well. > > This is on ROS v6.7 > > -- > Rory McCann > MKAP Technology Solutions > Web: www.mkap.net > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS > > > -- -Louis NTInet O: 803-533-1660 X 207 C: 803-997-0004 _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
