Hi All,
Very new to Microtik but have used other firewalls in the past. So have the basic concepts.
What I want to do is.
Block all outbound ports except DNS queries, Http and Https on my Wifi LAN Hostpsot I am running on ethernet 5
So way the unit is set
Ethernet 1 is WAN (internet connection
I want Ethernet 5 to be really restricted in terms of what it can go out and do.
Would also ideally like to block torrenting if thats possible.
I use Winbox, but have been doing some terminal commands.
Regards
Richy
To block all ip traffic except the ones you listed
ip firewall filter
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=udp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=80
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=443
add chain=forward action=accept connection-state=established protocol=tcp
add chain=forward action=drop src-address=10.1.0.0/24 dst-address=0.0.0.0/0
The top two rules will allow dns traffic and number 3 http number 4 https. All other traffic on 10.1.0.0/24 network will be blocked.
I have found that if you configure your firewall filter rules to allow your normal ports (http,ftp,smtp,ssmtp etc etc) that are used then torrent applications don’t work. If you want an idea I can post a copy of my firewall filter to give you an idea.
lordcoke:
To block all ip traffic except the ones you listed
ip firewall filter
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=udp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=80
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=443
add chain=forward action=accept connection-state=established protocol=tcp
add chain=forward action=drop src-address=10.1.0.0/24 dst-address=0.0.0.0/0
The top two rules will allow dns traffic and number 3 http number 4 https. All other traffic on 10.1.0.0/24 network will be blocked.
I have found that if you configure your firewall filter rules to allow your normal ports (http,ftp,smtp,ssmtp etc etc) that are used then torrent applications don’t work. If you want an idea I can post a copy
I have the problem that torrents no longer work even if several years have passed, it would be useful if I could turn over your configuration.
Either allow access from your torrent machine by IP or MAC OR figure out all the ports that torrent requires & allow them instead
Surely that user waited for you, two years and a month later, for you to reply.
Don’t resurrect posts in such a useless way, just a tiny bit of logic .
anav
June 21, 2023, 1:42am
7
hahaha, how far back would one have to look to even find that thread…