Hi,
I have a very frustrating problem. I wanted to filter the traffic on port 25 coming from the vpn users. Since I failed in the more complex rule, I reduced it to a very basic one:
/ip firewall filter add action=drop chain=forward disabled=no dst-port=25 protocol=tcp
But still after using it I can telnet to smtp servers on port 25. If i change the port to 80, http will cease, or tcp to icmp, ping will cease. But not smtp. Why? What am i missing?
Thanks,
Andras
Are there any other rules in “/ip firewall filter”? Maybe posting all would help.
No “/ip firewall nat” rules that would affect port 25?
No hotspot on the interface?
Thank you for replying.
There is no other filter that would effect port 25 for forwarding.
This is the full export for filter:
/ip firewall filter
add action=drop chain=input comment=blacklist connection-state=new disabled=no src-address-list=blacklist
add action=drop chain=forward comment=blacklist connection-state=new disabled=no src-address-list=blacklist
add action=drop chain=input comment=invalid connection-state=invalid disabled=no
add action=drop chain=forward comment=invalid connection-state=invalid disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=tcp
add action=accept chain=input disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=444 protocol=tcp
add action=accept chain=input disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=443 protocol=tcp
add action=accept chain=input disabled=no dst-address=xxx.xxx.xxx.xxx protocol=gre
add action=accept chain=input disabled=no dst-address=xxx.xxx.xxx.xxx dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input disabled=no dst-port=80 protocol=tcp src-address=xxx.xxx.xxx.xxx
add action=accept chain=input comment=radius disabled=no dst-address=xxx.xxx.xxx.xxx protocol=udp src-address=xxx.xxx.xxx.xxx
add action=accept chain=input disabled=no protocol=icmp
add action=drop chain=input disabled=no
add action=drop chain=forward disabled=no dst-port=25 protocol=tcp
add action=jump chain=forward comment=“ppp filter (new)” disabled=yes jump-target=ppp
add action=drop chain=pppin disabled=yes dst-address-type=“” dst-port=25 protocol=tcp
add action=drop chain=pppout disabled=yes dst-address-type=“”
The NAT rules are to give public ip to the connected private vpn ones. Each private has its own public, in such pairs:
/ip firewall nat
add action=src-nat chain=srcnat disabled=no src-address=xx.xx.xx.99 to-addresses=yy.yy.yy.99
add action=dst-nat chain=dstnat disabled=no dst-address=yy.yy.yy.99 to-addresses=xx.xx.xx.99
Hello
is any traffic match with your filter rule?
where you check to telnet to your server?
When running with port 80 there is matching (checking with browser to google.com), but there is none when using port 25 (checking with putty, telnet smtp.gmail.com:25)
I just tried this and it blocked email sending (not receiving) from my router localnet.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=25
Telnet to port 25 fails also.
Try this.
/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=25 place-before=0
Thank you for helping with such a nonsense situation.
Putting the filter to number 0 has no effect. With 80 the http is blocked, smtp passed.
Later this evening will reboot (production server..) and maybe setup an x86 to test with versions…
check this
/ip firewall filter
add chain=forward action=drop protocol=tcp any-port=25
No luck with any-port.
I did not have time to reboot or install new ros last night, thats still ahead..
bumping again, because i need to block smtp, and still cannot
what is wrong? any other port i tried was blocked fine, tcp/udp or even icmp can be filtered but for some reason smtp port 25 cannot :S:S:S
edit: ive set up a log and drop chain, with any port but 25 it is logged properly and dropped
meh, im just going to consider it a bug, zero everything on this router, and upgrade to 6.0