On 12/17/2013 10:19 AM, Rory McCann wrote:
Can someone explain to me why the following firewall rule isn't working:
/add action=drop chain=forward comment="SQL Access" dst-address=1.2.3.4
dst-port=1433 protocol=tcp src-address-list=!SQL/
From what I understand, this rule should drop SQL traffic from any
address not in the SQL address list, correct?
My corresponding NAT rule is this:
/add action=dst-nat chain=dstnat comment="My Farm Records - SQL Access"
dst-address=1.2.3.4 dst-port=1433 protocol=tcp to-addresses=10.2.7.7
to-ports=1433/
The filter rule needs to use dst-address=10.2.7.7 (private IP), as the
dstnat happens BEFORE forward filter. Look at the packet flow diagram
on the wiki. ;-) (that's a nice way of saying RTFM) lol.
It seems as though the NAT rule was taking precedence over the Firewall
rule. My SQL server was getting hammered with invalid logins until I
added a src-addrerss-list entry to the NAT rule as well.
You almost have it right.
--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
