Why do you need to block it in input chain? Forward is quite enough. -- Подпись: (добавляется в конце всех исходящих писем)
2014-08-06 18:32 GMT+03:00 Mike Hammett <[email protected]>: > Would this be a good DNS ruleset? Assuming I put my DNS servers in the > DNS_Servers address list. Well, and assuming I enable them... > > add action=accept chain=forward disabled=no dst-address-list=DNS_Servers > dst-port=53 protocol=tcp > add action=reject chain=forward disabled=yes dst-port=53 protocol=udp > reject-with=icmp-network-unreachable src-address-list=!DNS_Servers > add action=reject chain=input disabled=yes dst-port=53 protocol=udp > reject-with=icmp-network-unreachable src-address-list=!DNS_Servers > add action=tarpit chain=forward disabled=yes dst-port=53 protocol=tcp > src-address-list=!DNS_Servers > add action=tarpit chain=input disabled=yes dst-port=53 protocol=tcp > src-address-list=!DNS_Servers > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/fd0101dc/attachment.html > > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20140806/d3b3ec39/attachment.html> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
