Community discussions

MikroTik App
  4. RouterOS
  5. General

This very simple firewall ruleset SHOULD work-- but.....

Post Reply
 
jantypas
newbie
Topic Author
Posts: 39
Joined: Sun May 02, 2010 11:57 pm

This very simple firewall ruleset SHOULD work-- but.....

Fri Apr 26, 2024 10:34 am

I've reduced everything down to the basics but it doesn't seem to help....

The hardware is an RB5009 that simply has two interfaces (an OUT (FRC) and an IN (LAN). (There are firewalls upstrea.) The goal of the firewall ruleset at this point is:
  • Allow everything out
  • Allow return traffic in
  • Allow SSH in if it's going to host 199.181.204.130
  • Drop everything else
There is no NAT at this point, so it's just a set of "public IPs"
0 ;;; Allow anything out from the LAN to the tunnels
chain=forward action=accept in-interface=ether1-LAN
out-interface=ether2-FRC log=no log-prefix=""

1 chain=forward action=accept protocol=tcp dst-address-list=199.181.204.130
dst-port=22 log=no log-prefix=""

2 ;;; Allow active connections in
chain=forward action=accept
connection-state=established,related,untracked in-interface=ether2-FRC
out-interface=ether1-LAN log=no log-prefix=""

3 chain=forward action=drop log=no log-prefix="Drop it"
I can see the drop rule at the bottom catches everything -- even the SSH-- - why?
Top
 
User avatar
karlisi
Member
Member
Posts: 443
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: This very simple firewall ruleset SHOULD work-- but.....

Fri Apr 26, 2024 11:01 am

change to this
Code: Select all
chain=forward action=accept connection-state=established,related,untracked
chain=forward action=accept protocol=tcp dst-address=199.181.204.130 dst-port=22
chain=forward action=drop log=no log-prefix="Drop it"
Check if it works
About SSH I'm not sure, from your description can't say what device or interface has 199.181.204.130 address, I'm assuming it is your FRC interface
Top
 
jantypas
newbie
Topic Author
Posts: 39
Joined: Sun May 02, 2010 11:57 pm

Re: This very simple firewall ruleset SHOULD work-- but.....

Fri Apr 26, 2024 11:04 am

OK -- for my education at least :-) Why does yours work and mine doesn't -- what is different? I see the order of the rules are different but they should say the same thing.
Top
 
jantypas
newbie
Topic Author
Posts: 39
Joined: Sun May 02, 2010 11:57 pm

Re: This very simple firewall ruleset SHOULD work-- but.....

Fri Apr 26, 2024 11:14 am

I don't quite understand why -- but dst-address-list, even if it has the same IP in it, is not dst-address. That works. Thanks ofr the help.
Top
 
User avatar
karlisi
Member
Member
Posts: 443
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: This very simple firewall ruleset SHOULD work-- but.....

Fri Apr 26, 2024 12:56 pm

SSH rule because of address-list instead of address.
As for other traffic, I'm not sure. Rules are too complex and order is not optimal, but in theory should work.
Top
Post Reply

Who is online

Users browsing this forum: anav, deltagranite, tangent and 22 guests
  4. RouterOS
  5. General