I'm assuming you mean traffic flowing through the firewall, and not traffic destined for the firewall itself. The below blocks all traffic that would flow through the firewall, comes in through the interface named WAN and is destined for port tcp/23:
- Code: Select all
/ip firewall filter add chain=forward in-interface=WAN protocol=tcp dst-port=23 action=drop
Of course that rule may not work depending on context. If you have a rule higher above it that accepts all traffic coming in the WAN interface, or in the forward chain etc. then this rule would never be reached.
The basic idea is that in firewall filtering there are three major chains: 'forward' contains all traffic flowing through the firewall (traffic that is not initiated by the firewall, and doesn't terminate on the firewall), 'input' contains all traffic directly aimed at the firewall and 'output' contains all traffic created by the firewall itself. Firewall rules apply actions to packets, the most common ones are 'accept' and 'drop'. To specify to which exact packets an action should be applied, lots of filters are available. Some common ones are 'protocol', 'dst-post', 'in-interface' etc. Since the firewall is stateful, you can also use connection states, such as 'new', 'established' and 'related'.
Firewall mangling marks packets/connections with markers that are not transmitted over the wire (they are internal to the firewall only), but are used by many other RouterOS portions to make decisions. Mangle has two additional major chains: 'prerouting', which contains packets before destination NAT runs and a routing decision is made, and 'postrouting', which contains all packets after all other chains have been traversed and the router knows where to output the packet. Mangling can also change some basic packet properties, such as TTL, DSCP values etc.
NAT changes source and destination IPs and ports. Its two major chains are 'srcnat' and 'dstnat'.
When writing a firewall ruleset it is best to take a whitelist (default deny) approach: 'accept' all packets that you know you want to go through the firewall, and make the last rule a generic 'drop'.
Hope that helps.