Hello, I would like to request a new feature… Just like in the firewall where you can make groups of addresses with the Address Lists option, it would be great if you could make port groupings with different types of ports (tcp, udp, etc…) in the firewall with a list. This would reduce the number of rules needing to be created. Thanks!
I agree - the ipset functionality of the netfilter suite (which I’m assuming is what Mikrotik uses to implement their firewall) already supports port lists, so it shouldn’t be a huge endeavor to implement this - especially now that they’ve also implemented interface lists.
Most useful, indeed. 
++ 
Wasn’t it already requested in the past?
http://forum.mikrotik.com/t/feature-requests-address-lists-for-routes-and-port-and-even-protocol-groups/100149/1
http://forum.mikrotik.com/t/v6-36rc-release-candidate-is-released-wireless-fp-package-is-discontinued/97337/113
I am for this too.
Yes, me too [http://forum.mikrotik.com/t/port-list/97283/1)
Hope to see it soon…
Yep.
Sent from my XT1575 using Tapatalk
+1 for the ability to use multiple protocols & ports in one filter rule.
- multiple protocols: this makes no real sense, and netfilter doesn’t support it anyway
- multiple ports: this is already possible, only you need to specify it inside the rule, not as a separate “port list”.
Yes, but if you have multiple rules using the same port range/list, currently you have to manually edit each rule (or run some cli magic to do it) if you want to change 1 port for example.
Having a port-list like adress-lists or interface-lists, you simply edit the port-list and all rules follow that without any further edits.
I think multiple rules with the same port-list should not be very common, and also they can often be replaced
by using custom chains. Matching should be done as little as possible, especially on complicated criteria.
Its not so uncommon that applications uses both, udp- and tcp-ports and also icmp is used in quite strange places.
-multiple ports: this is already possible, only you need to specify it inside the rule, not as a separate “port list”.
Yes I know, and therefore that protocol mixing is more important new feature for me personally, but I can also see clear benefits of doing some kind of “service objects” (all ports needed by application/service X) and use them in multiple rules.
Netfilter (the mechanism below what you see in Firewall) cannot do that!
There is a part “ipset”, also mentioned above, that can store a portlist, actually just a bitmap corresponding to port 0..65535
for use in filters with protocol TCP or UDP. Not a list of protocol/port combinations, or even protocols without ports.
There would be some use of a portlist when there really are a lot of applications that require both TCP and UDP portlists
with the same portnumbers, but I think these generally are the result of laziness or misinformation. One of the few applications
that require this is DNS. And it uses only a single port, hardly worth it to store it in a set.
To implement what you suggest above, RouterOS would have to make a 1:many mapping of “high-level rules” in the UI
and real netfilter rules. I think it now never does that, and I am not sure it is a good idea to introduce that. Maybe some
shortcut in the UI that auto-inserts some predefined rulesets like the above, but that would then be further maintained
as separate rules just as it is now.
I understand that. If the port list in Netfilter works that way, then I agree with you, no real use for that. Does not change the fact that it would be useful feature in many situations and done by many other vendors. Just one more evidence that RouterOS is more router than firewall.
router IS firewall and vice versa.
and decent router - insecure and useless/dangerous w/o decent firewall and decent firewall ~ useless w/o routing.
There is a lot of places where you have router doing just routing and firewall doing just filtering and optionally NAT:ting (of course with default route pointing to that router). Internet is of course one example, but also internal networks in many big companies.
Anyhow, I was just trying to say that I have seen more intuitive UI:s for firewall management than in RouterOS. And ability to group things like ports & protocols is one of the key elements.
Oh but I have also seen commercial enterprise routers that are a lot worse in configuration, including putting comments
in configuration and structuring filtering rules in a sensible way… (e.g. Cisco IOS)
MikroTik has a comment field in almost every config item and it allows a tree structured filtering chain instead of a plain list.
nowwhere you can legally anymore in last 10 years atleast ever in backbone completely separate firewalls and routers from each others. and generally you wouldn’t want if you feel okay.
personally i proposed port-lists ~8 years ago in that forum and twice later(one last in present, non -deactivated nickname AFAIK), cuz its make sense and make configuration more readable/simpler and improve router performance aswell and same about protocols lists and interfaces lists.
as for “structured list” its more like nftables feature eg for ROS7 or even bit more later subversions(some may remember say PF and NPF and alikes, but thats not matter much).
Cool. Make port-list, list in list also good ))
P.S. in prerouting mangle mark dscp (63-groups/portlist) and manipulate packets in filter on dscp based rules. Portlist by routeros(We are not looking for easy ways)
Have a good day!
It would be useful to add ip:port address lists. We have blocklists of proxies and anonymizers and using separate filter rules for every record (aprox ~12k rules and increased every week).