On 01/27/2014 03:09 PM, Jerry Roy wrote:
This look right? I already have a implicit drop rule at the very bottom of
the /ip firewall filter but I added the drop to the input chain directly
below the forward chain. What does this rule offer above my implicit drop
rule? It works with or without the 8443 drop rule. Just trying to
understand if this is more secure or just redundant. BTW, I greatly
appreciate your input. :)
/ip firewall address-list
add address=68.106.72.0/26 disabled=no list="Netgear Switch Access"
add address=162.93.0.0/16 disabled=no list="Netgear Switch Access"
add address=216.231.195.0/24 disabled=no list="Netgear Switch Access"
add address=216.231.198.0/24 disabled=no list="Netgear Switch Access"
add address=216.231.207.0/24 disabled=no list="Netgear Switch Access"
/ip firewall filter
add action=accept chain=forward comment="Netgear Switch access" disabled=no
src-address-list="Netgear Switch Access"
add action=drop chain=input disabled=no dst-port=8443 protocol=tcp
These 2 rules are not working in tandem if that was your goal. The
forward chain is for traffic passing through the router, while input is
for traffic TO the router. I didn't read through the entire ruleset,
but this just jumped off the page at me. If the goal is to allow that
list to manage the router (winbox, http, ssh, etc.), then you need to
change the first rule to chain=input, then the second rule would drop
all traffic destined to port TCP/8443 (not sure what that is).
--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
