When blocking external DNS, which of this two option is preferable?
and please explain why.
Thanks
/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=ether1 protocol=udp
Both are fine, first is slightly preferable since you don’t need to involve conntrack. In general though you should block everything on the filter input chain and only open things you need.
How do i archive this?
Is this the best way to block everything except the needed traffic?
this firewall rule is at the bottom of all other rules.
action=drop chain=input comment=“Drop Everything Else” connection-state=new in-interface=ether1
Someone should please reply.
Thanks
Hi Chris, that’s how I do it. By default, drop everything to the input chain as per the rule you posted. Then open ports only as necessary.
Thanks on that.
This is the right way:
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=ether1 protocol=udp
It is not. Dropping everything with the exclusions to accept selected traffic only is the right way.