Community discussions

MikroTik App
  4. Other topics
  5. RouterBOARD hardware

rule not for one ip

Post Reply
 
kazanova
Member
Member
Topic Author
Posts: 406
Joined: Tue Sep 06, 2005 11:52 am

rule not for one ip

Thu Jun 24, 2010 10:59 pm

i want to drop icmp accepte for ip 192.168.10.10

/ip firewall filter
add action=drop chain=forward comment=" ping" disabled=yes dst-address=\
!192.168.10.10 protocol=icmp
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: rule not for one ip

Thu Jun 24, 2010 11:20 pm

Generally speaking that's the right idea, but you have to make sure that the packet going the other way isn't dropped, either.

Is 192.168.10.10 supposed to be the only IP able to initiate pings to other IPs, or is it supposed to be the only IP address pingable by other IPs?
Top
 
kazanova
Member
Member
Topic Author
Posts: 406
Joined: Tue Sep 06, 2005 11:52 am

Re: rule not for one ip

Thu Jun 24, 2010 11:32 pm

yes,the 192.168.10.10 supposed to be the only IP able to initiate pings to other IPs
but it dont work
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: rule not for one ip

Thu Jun 24, 2010 11:54 pm

Without state:
Code: Select all
/ip firewall filter
add chain=forward protocol=icmp src-address=192.168.10.10 action=accept
add chain=forward protocol=icmp dst-address=192.168.10.10 action=accept
add chain=forward protocol=icmp action=drop
With state:
Code: Select all
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward protocol=icmp src-address=192.168.10.10 action=accept
add chain=forward protocol=icmp action=drop
You can write a rule like you tried to, but it's often not a good idea. Generally with firewall rules it is always better to explicitly accept the traffic you want to flow and then to broadly drop everything else than to selectively drop traffic. The more complicate the ruleset gets the easier it is to forget to drop something, but it's usually fairly easy to permit what you need and then not have to worry about everything else.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: rule not for one ip

Thu Jun 24, 2010 11:57 pm

And just for completion's sake, the problem with your original rule:
Code: Select all
/ip firewall filter
add action=drop chain=forward comment="ping" dst-address=!192.168.10.10 protocol=icmp
is that when 192.168.10.10 sends an echo request to 1.1.1.1, the destination address of the packet is 1.1.1.1, which matches !192.168.10.10 so the echo request itself gets dropped. The target never sees a request so it never sends an echo reply.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 35 guests
  4. Other topics
  5. RouterBOARD hardware