[Feature request] /ip firewall protocol-port-list

yosanpro · October 10, 2012, 7:14am

Dear Mikrotik developers,

In routeros, there had always been /ip firewall address-list, It helped me simplify many rules.

However, I’ve been thinking, why wouldn’t there be /ip firewall port-list, or even better /ip firewall protocol-port-list. IMHO, it shouldn’t be too hard to program, but the effect could be significant in simplifying the rules and optimizing resources.

Sincerely,
Muhammad Fauzan

patrickmkt · October 10, 2012, 11:55am

Yes that’s one feature I would like too. We can do without, but it would made the configuration much more easier to read.
Another feature for me would be to be able to be able to associate an alias to a mac address instead of trying to remember who is who during debug.

tomaskir · October 10, 2012, 12:06pm

+1
I suggested a very similiar thing about half a year ago.
http://forum.mikrotik.com/t/feature-request-service-group/56386/1

yosanpro · October 10, 2012, 6:24pm

Tomaskir:
Sorry for re-posting it, I did search before posting, but I didn’t notice your thread.

tomaskir · October 10, 2012, 7:45pm

Oh no problem at all man, the more attention a feature request of this kind gets, the better chances it gets implemented

janisk · October 12, 2012, 10:24am

however you can list several ports in one rule. or even set up port range.

tomaskir · October 12, 2012, 10:33am

Yes, this is working well
But setting multiple protocols, or even more, multiple options in the ‘advanced’ tab requires multiple rules.

To take an example from my forum topic, with the “service group” functionality, you could merge multliple ports, protocols, and options and then use them all in one firewall rule.

The Service Group "ICMP WAN" would contain
icmp-options=0:0-255 protocol=icmp
icmp-options=3:3 protocol=icmp
icmp-options=3:4 protocol=icmp
icmp-options=8:0-255 protocol=icmp
icmp-options=11:0-255 protocol=icmp

The Service Group "ROS VPN" would contain
protocol=UDP dst-port=500
protocol=ipsec-esp
protocol=gre

Then in firewall you could simply add these rules. Currently, you would need to set up 8 rules, where with service groups you would only need 2 rules.

add action=accept chain=input limit=5,5 service-group="ICMP WAN"
add action=accept chain=input service-group="ROS VPN" src-address-list="VPN Peers"

yosanpro · October 13, 2012, 5:27am

On the other hand, you can also set several ip addresses or range in one rule, but I prefer to use address list, because it’s easier to read and manage.

emanuelezambrano · November 2, 2012, 1:11pm

Alias features summary:

tcp/udp port aliasing (eg. 80-> HTTP, 443-> HTTPS)
port alias grouping (eg. MYSERVER_SERVICE → (HTTP,HTTP,SIP) …)
ip address aliasing (eg. 192.168.1.50 → MY_NAS_PRIVATE)
dynamic ip address on port like wan auto aliased from the system; after dynamic ip change, routeros change automatically the value of the alias (eg. WAN_PRIMARY_IP → autodetected by routeros)
ip address alias grouping (eg. MY_IP_GROUP → (MY_NAS_PRIVATE, MY_MAIL_PRIVATE), …)
possibility to use ip address alias and ip address alias group in NAT and FILTER rules
possibility to use port alias and port group alias in NAT and FILTER rules

Many thanks for your efforts

janisk · November 5, 2012, 2:28pm

almost everything regarding ip-address aliasing as you name it can be done using /ip firewall address-list where you can freely create address list with desired name and adjust list contents as you wish.

If you check firewall examples on wiki you would see good examples on how to manage firewall to make it more potent. good ideas are:

separate different stuff in different chains, by default there are 3 chains input, forward and output, you can easily add new chain called VPN, and jump from either of chains to named chain and do all the VPN related magic there. Also, most of the time you have to worry only about initial packets rest of the load can be left for rules that accept related and established connections.