Hello,
add action=drop chain=forward dst-port=!80,443 protocol=tcp src-address=
192.168.1.50
I only want to the machine 192.168.1.50 only use tcp 80,443 but why it can also ping internet.
Because ping is not tcp but icmp!
Hi Chum
In an effort to be a bit more helpful than Njumaen,
Your rule blocks all TCP connections that are not dst for 80,443
However ICMP(Ping) will not be processed by this rule.
If you want to block everything except TCP80,433 then you’ll need another rule under that
/ip firewall filter
add action=drop chain=forward src-address=192.168.1.50
Remember though you might want to add some permit rules to allow for DNS and other services the host might use.
I hope this helps
This won’t work.
OP’s rule works because there’s an implicit allow all rule at the end. TCP port 80 and 443 are passed by OP’s rule, but firewall filter rules are processed further. If there’s markmcn’s rule further down the list, that one would drop http and https as well.
So if one goes the (recomended) way of “drop everything which is not allowed before”, then OP’s rule has to be inverted … to “action=allow dst-port=80,443”
@mkx
Thank you for correcting my mistake, I was still waking up!!
Below is what should work
/ip firewall filter
add action=accept chain=forward dst-port=80,443 protocol=tcp src-address=192.168.1.50
add action=drop chain=forward src-address=192.168.1.50