Uh is the dst-address on the MT? That would be input, not forward. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Dec 17, 2013 11:42 AM, "Rory McCann" <[email protected]> wrote:
> No, it wasn't matching any traffic. > > Rory McCann > MKAP Technology Solutions > Web: www.mkap.net > > On 12/17/2013 10:40 AM, Josh Luthman wrote: > >> Is the firewall rule counting packets? >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> On Dec 17, 2013 11:39 AM, "Rory McCann" <[email protected]> wrote: >> >> Shouldn't be. I created the firewall rule before the NAT rule and there >>> wasn't any pre-existing connections to SQL. >>> >>> Rory McCann >>> MKAP Technology Solutions >>> Web: www.mkap.net >>> >>> On 12/17/2013 10:33 AM, Josh Luthman wrote: >>> >>> Maybe using an already established connection? >>>> >>>> Josh Luthman >>>> Office: 937-552-2340 >>>> Direct: 937-552-2343 >>>> 1100 Wayne St >>>> Suite 1337 >>>> Troy, OH 45373 >>>> On Dec 17, 2013 11:29 AM, "Rory McCann" <[email protected]> wrote: >>>> >>>> There are allow rules, but nothing that would have matched anything in >>>> >>>>> this particular rule. >>>>> >>>>> Rory McCann >>>>> MKAP Technology Solutions >>>>> Web: www.mkap.net >>>>> >>>>> On 12/17/2013 10:23 AM, Louis Arsenault wrote: >>>>> >>>>> Do you have an allow established rule before this rule? >>>>> >>>>>> Having the allow established rule will continue to allow those bad >>>>>> connections until you move the drop rule above it or restart the >>>>>> router. >>>>>> >>>>>> -Louis >>>>>> >>>>>> On Tue, Dec 17, 2013 at 11:19 AM, Rory McCann <[email protected]> >>>>>> wrote: >>>>>> >>>>>> Can someone explain to me why the following firewall rule isn't >>>>>> >>>>>>> working: >>>>>>> >>>>>>> /add action=drop chain=forward comment="SQL Access" >>>>>>> dst-address=1.2.3.4 >>>>>>> dst-port=1433 protocol=tcp src-address-list=!SQL/ >>>>>>> >>>>>>> From what I understand, this rule should drop SQL traffic from any >>>>>>> address >>>>>>> not in the SQL address list, correct? >>>>>>> >>>>>>> My corresponding NAT rule is this: >>>>>>> >>>>>>> /add action=dst-nat chain=dstnat comment="My Farm Records - SQL >>>>>>> Access" >>>>>>> dst-address=1.2.3.4 dst-port=1433 protocol=tcp to-addresses=10.2.7.7 >>>>>>> to-ports=1433/ >>>>>>> >>>>>>> It seems as though the NAT rule was taking precedence over the >>>>>>> Firewall >>>>>>> rule. My SQL server was getting hammered with invalid logins until I >>>>>>> added a >>>>>>> src-addrerss-list entry to the NAT rule as well. >>>>>>> >>>>>>> This is on ROS v6.7 >>>>>>> >>>>>>> -- >>>>>>> Rory McCann >>>>>>> MKAP Technology Solutions >>>>>>> Web: www.mkap.net >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Mikrotik mailing list >>>>>>> [email protected] >>>>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>>>> >>>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>>>> RouterOS >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>> Mikrotik mailing list >>>>> [email protected] >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>>> -------------- next part -------------- >>>>> >>>> An HTML attachment was scrubbed... >>>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >>>> attachments/20131217/4fd1c693/attachment.html> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> [email protected] >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS >>>> >>>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>> >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>> RouterOS >>> >>> -------------- next part -------------- >> An HTML attachment was scrubbed... >> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >> attachments/20131217/1fbe80e1/attachment.html> >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://mail.butchevans.com/mailman/listinfo/mikrotik >> >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >> RouterOS >> > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20131217/433b5931/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
