[admin@SCO] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop src-address-list=!qqpass layer7-protocol=qq
[admin@SCO] /ip firewall filter>
src-address-list=!qqpass
this filter rule should not affect to address-list qqpass, but in MT 3.x version, the qqpass list affected by this rule. this reasualt in thoes addresses in the address-list qqpass can’t bypass the rule.
I think this is a bug, anyone who experienced it?
contact with support if you think this is the bug, also send supout.rif
You can add log rule
chain=forward action=log src-address-list=!qqpass layer7-protocol=qq
to see if packets with source address from the list is actually dropped by that rule.
hmmm… maybe src-address-list=!qqpass is NOT affected, and dst-address-list=!qqpass IS affected? =)
[admin@SCO] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop dst-address-list=!qqpass layer7-protocol=qq
1 chain=input action=drop protocol=tcp dst-port=21
[admin@SCO] /ip firewall filter>
I tried to ues dst-address-list=!qqpass ,
but it don’t work at all , all traffic no matter qqpass or !qqpass can be got though. just the same as no rule at all.
This is the only one rule in the filter. I don’t think that is others rules’ effect.
no-no-no…
I meant that if packet is catched by ‘qq’ L7 rule and have src-address from ‘qqpass’ list, it’s not affected. but response packet may also be catched by ‘qq’, and it have dst-(not src-)address in ‘qqpass’ list, so that packet is being dropped
I think, algorithm should be like this:
chain=forward action=accept src-address-list=qqpass layer7-protocol=qq
chain=forward action=accept dst-address-list=qqpass layer7-protocol=qq
chain=forward action=drop layer7-protocol=qq