Is the firewall rule counting packets? Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Dec 17, 2013 11:39 AM, "Rory McCann" <[email protected]> wrote:
> Shouldn't be. I created the firewall rule before the NAT rule and there > wasn't any pre-existing connections to SQL. > > Rory McCann > MKAP Technology Solutions > Web: www.mkap.net > > On 12/17/2013 10:33 AM, Josh Luthman wrote: > >> Maybe using an already established connection? >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> On Dec 17, 2013 11:29 AM, "Rory McCann" <[email protected]> wrote: >> >> There are allow rules, but nothing that would have matched anything in >>> this particular rule. >>> >>> Rory McCann >>> MKAP Technology Solutions >>> Web: www.mkap.net >>> >>> On 12/17/2013 10:23 AM, Louis Arsenault wrote: >>> >>> Do you have an allow established rule before this rule? >>>> Having the allow established rule will continue to allow those bad >>>> connections until you move the drop rule above it or restart the >>>> router. >>>> >>>> -Louis >>>> >>>> On Tue, Dec 17, 2013 at 11:19 AM, Rory McCann <[email protected]> >>>> wrote: >>>> >>>> Can someone explain to me why the following firewall rule isn't >>>>> working: >>>>> >>>>> /add action=drop chain=forward comment="SQL Access" dst-address=1.2.3.4 >>>>> dst-port=1433 protocol=tcp src-address-list=!SQL/ >>>>> >>>>> From what I understand, this rule should drop SQL traffic from any >>>>> address >>>>> not in the SQL address list, correct? >>>>> >>>>> My corresponding NAT rule is this: >>>>> >>>>> /add action=dst-nat chain=dstnat comment="My Farm Records - SQL Access" >>>>> dst-address=1.2.3.4 dst-port=1433 protocol=tcp to-addresses=10.2.7.7 >>>>> to-ports=1433/ >>>>> >>>>> It seems as though the NAT rule was taking precedence over the Firewall >>>>> rule. My SQL server was getting hammered with invalid logins until I >>>>> added a >>>>> src-addrerss-list entry to the NAT rule as well. >>>>> >>>>> This is on ROS v6.7 >>>>> >>>>> -- >>>>> Rory McCann >>>>> MKAP Technology Solutions >>>>> Web: www.mkap.net >>>>> >>>>> >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >>> >>> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >> attachments/20131217/4fd1c693/attachment.html> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20131217/1fbe80e1/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
