This look right? I already have a implicit drop rule at the very bottom of the /ip firewall filter but I added the drop to the input chain directly below the forward chain. What does this rule offer above my implicit drop rule? It works with or without the 8443 drop rule. Just trying to understand if this is more secure or just redundant. BTW, I greatly appreciate your input. :)
/ip firewall address-list add address=68.106.72.0/26 disabled=no list="Netgear Switch Access" add address=162.93.0.0/16 disabled=no list="Netgear Switch Access" add address=216.231.195.0/24 disabled=no list="Netgear Switch Access" add address=216.231.198.0/24 disabled=no list="Netgear Switch Access" add address=216.231.207.0/24 disabled=no list="Netgear Switch Access" /ip firewall filter add action=accept chain=forward comment="Netgear Switch access" disabled=no src-address-list="Netgear Switch Access" add action=drop chain=input disabled=no dst-port=8443 protocol=tcp add action=accept chain=input comment="default configuration - ICMP" disabled=no protocol=icmp add action=accept chain=input comment="SNTP - Time Protocol" disabled=no dst-port=123 protocol=udp add action=accept chain=input comment="default configuration - established" connection-state=established disabled=no add action=accept chain=input comment="default configuration - related" connection-state=related disabled=no add action=accept chain=input comment="Allow Management from MNS" disabled=no dst-port=161 protocol=udp src-address=10.94.64.16/29 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=10.94.64.16/29 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=68.106.72.0/26 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=68.106.76.203 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=68.167.154.0/24 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=162.93.0.0/16 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.198.0/24 add action=accept chain=input disabled=no dst-port=22,80,443,8291 protocol=tcp src-address=216.231.207.0/24 add action=accept chain=input comment="Used for VoIP Phone TS with Access Line VoIP provider. Must Be DISABLED at ALL times unless TS." disabled=yes dst-port=80,443 protocol=tcp add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway-static *Jerry Roy* Sr. Systems Engineer MTCNA/MTCRE/MTCTCE -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140127/0bf7e896/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
