Firewall Filter Rules - block all other via 'IF IS NOT'

ZAJDAN · March 2, 2018, 8:06am

Hello,
I created the rule:

 chain=forward action=drop protocol=udp src-address=192.168.1.6 
      in-interface=SERVER out-interface=eth10_ISP dst-port=!53 
      log=yes log-prefix="domain-server_DNS-query"

interface=SERVER is interface where is connected my server
eth10_ISP is interface which is connected to ISP
dst-address=192.168.1.6 is my internal AD/DC server which forwards all DNS query to ISP

my goal is allow from the SERVER to the Internet DNS query only, but via the rule is allows also ICMP
what is the best way to isolate the server by Internet?
ThankYou

cdiedrich · March 2, 2018, 8:33am

Your rule only drops all other udp traffic - all other protocols are still able to go out.

Try that one:

/ip firewall filter
chain=forward action=accept protocol=udp src-address=192.168.1.6 in-interface=SERVER out-interface=eth10_ISP dst-port=53
chain=forward action=drop src-address=192.168.1.6 in-interface=SERVER out-interface=eth10_ISP

The first rule accepts DNS queries in the forward chain. If a connection from your server matches these criteria, it will not be processed further in the firewall.
The second rule matches all other traffic which does not match the rule above.

Of course, you could also just invert your protocol matcher to protocol=!udp in your drop rule but that makes it:

harder to read and understand in the config
harder to add possible future exceptions when you encounter them (think of NTP for example)

-Chris

ZAJDAN · March 2, 2018, 8:50am

Thank You for explanation
will be in the future possible use “double” negation?
protocol: !udp
port: !53

for example

cdiedrich · March 2, 2018, 8:54am

It’s already possible - but with the drawbacks mentioned above.
-Chris