I expect it’s obvious but I can’t see it.
So can anyone tell me how I build a filter rule on an ethernet interface that says the equivalent of “Let anything with a dst-address in the 10.0.0.0/16 range in and forward it but drop everything else.”
Thanks.
It is obvious.
Firewall/filter rules are applied in the order of their appearance.
Put rules to allow your desired traffic, and then put rules to drop everything else.
( careful though, so not to lock you out by this. If it happens, connect by mac - telnet, mac-winbox to restore.)
So it would be like this:
first rule: allow traffic for xxx.xxx.xxx.xxx/y
second rule : drop traffic NOT for xxx.xxx.xxx.xxx/y
The simple way. Your firewall should be more complex, this is the essence.
indeed, accept what you want to accept, and at the end just add rule that will say action=drop so everything else will be dropped that is not accepted
like /ip firewall filter add action=drop 