Ok, I have a dns server running on my core router that is DMZ, but I do not want the public to be able to see port 53 open. Also, I would like to hide port 8291 from the world as well.
How would I setup firewall rules for this?
Define an address list that is able to get to the DNS server:
/ip firewall address-list
add list=DNS-access address=192.168.1.0/24
add list=DNS-access address=10.1.0.0/16
Then allow that list access, replacing 1.1.1.1 with the actual IP address of the DNS server:
/ip firewall filter
add chain=forward protocol=udp dst-port=53 dst-address=1.1.1.1 src-address-list=DNS-access action=accept
add chain=forward protocol=tcp dst-port=53 dst-address=1.1.1.1 src-address-list=DNS-access action=accept
add chain=forward protocol=udp dst-port=53 dst-address=1.1.1.1 action=drop
add chain=forward protocol=tcp dst-port=53 dst-address=1.1.1.1 action=drop
The same principle for Winbox - first, make an address list that defines networks that can use winbox:
/ip firewall address-list
add list=admin-access address=192.168.1.0/24
add list=admin-access address=10.1.0.0/16
Then allow that traffic, and drop everything else:
/ip firewall filter
add chain=input protocol=tcp dst-port=8291 src-address-list=admin-access action=accept
add chain=input protocol=tcp dst-port=8291 action=drop
You can save yourself the specific drop rules if you take a whitelist approach to your entire firewall: first specify all the traffic you want to let through, then drop absolutely everything without any qualifiers.
The wiki has very, very many firewall examples you should read through. You were asking a FAQ.
sorry that does not work for dns
the world still sees port 53 open
BUT it DID work for Winbox
Please post the output of “/ip address print detail”, “/ip route print detail”, “/interface print”, and “/ip firewall export”. I could only give you a rough stab given how few details you originally posted. If you need specific help you need to post specific details.