Dear all,
I would set up a firewall rule, to allow only VNC port 5900 in-out to a specified LAN host:
For example 192.168.88.100 want to communicate to WAN (Internet) direction only on port 5900.
All other ports has to be blocked.
Any suggestions?
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN action=drop
You can add more ports to each tcp & udp rule like “port=53,5900,6000-6100” if you need more out going ports.
Replace the action=accept with action=drop in last rule
Oppps! I corrected it.
Perfect!!!
Works well, also works without allowing UDP 5900.
Thanks, appreciated 
!!
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
[/quote]
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
Theoretically IP can carry protocols other than TCP and UDP … so if one really wants to pass only TCP or UDP, then she can’t omit protocolin FW rule.
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
>
> Can this be simplified by only using two rules??
> If so, is it fair to say, that frog is bloated LOL.
You better watch it, I might swell up like a toad!
But, to answer your question, NO! The reason is you are dropping everything not matching the first rule. In th OPs case, since he only needed TCP, he could use only the first one.Argggg you are correct!!
My logic is flawed. I must keep in mind that when a rule is matched, game over!!
Frogs legs for supper! 