Drop all and accept some ports

fredfabet · February 15, 2019, 10:21am

Hi.

According to the subject, I would like to drop all and accept some ports. My firewall rules.

If I put the drop rule first, it will block everything and accept nothing. If you put last, accept everything.

I searched a lot on the internet, but could not find something that would explain how to do it in the right way.

skylark · February 15, 2019, 11:28am

Firewall works in sequential order. You have to configure rules more specifically, for example, configure accept rules for all the traffic which should work and drop everything else.

sebastia · February 15, 2019, 11:40am

As depicted, traffic from 10/8 for dns, http & https will be allowed. all the rest is blocked.

To allow more just add some “accept” rules before the drop rule.

fredfabet · February 15, 2019, 11:59am

These rules did not work. I do not know why.
I can browse the internet, but I can also open other things like apps facebook, instagram, games …
Very strange.

sebastia · February 15, 2019, 12:23pm

if these communicate over port 80 (http) and 443 (https), then that’s expected.

fredfabet · February 15, 2019, 12:51pm

I change my rules.

I added a rule to accept ICMP.
This one worked. However, the rules of ports 80,443 and 53 do not.

nescafe2002 · February 15, 2019, 1:04pm

You need to accept established connections in forward chain, then you can remove all reverse logic rules again.

Now, everyone can reach your private network as long as they’re using source port 80,443/tcp or 53/udp.

Take a look at the default firewall, which is a good entry point anyway.

Make sure interface lists WAN and LAN exist.

/ip firewall {
  filter add chain=input action=accept connection-state=established,related,untracked \
    comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid \
    comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmp \
    comment="defconf: accept ICMP"
  filter add chain=input action=drop in-interface-list=!LAN \
    comment="defconf: drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec \
    comment="defconf: accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec \
    comment="defconf: accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="defconf: fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked \
    comment="defconf: accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid \
    comment="defconf: drop invalid"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface-list=WAN comment="defconf:  drop all from WAN not DSTNATed"
}

anav · February 15, 2019, 2:06pm

Tip: Reset to defaults and then come back!
Tell us what you would like to accomplish without speaking about equipment or solution settings, but in words.
Then we can direct you to config guidance. Walk you through whats in the default and why.
With a better understand of your goals, and with your better understanding of how the various config rules interplay, we can make progress.

The path your travelling at the moment is like playing what ifs and whackamole without any clear direction or obviously any clear understanding.
Lets get back to basics.

fredfabet · February 15, 2019, 2:54pm

Ok.

what I need:
Drop all ports and accept 80, 443 and 53.