I started to work for a project where they use RB2011UiAS v6.45.6.
My first task is to secure the internal network.
I’d like to deny outgoing traffic for most internal hosts (clients) and allow only TCP 80 and 443.
Servers like DC and MX obviously should be allowed the usual ports and services.
The router also has a Site2Site tunnel (another MT on a remote office) up and running and a number of L2TP VPN dial in clients (loacally configured).
I have no clue about chains. Usually I use a different brand. Usually I’d define the hosts, group them, allow certain ports and end the list with deny:all
NATting though is quite understandable and I managed to modify that.
The question is where to start.
Where can I define the host that I’d like to exempt from the strict 80/443 policy and which “chain” will I have to use?
thank you so much for this offending and very helpless answer. I hoped to give these cheap boxes a chance since the guy that trys to start his small biz in these difficult times bought “cheap cheap” and asked me if I could have a quick look yet only used the “assistans” in his GUI…
But regarding the kind of “community help” you gave I have to say sorry and sell him a major brand i am accredited for and that I can set up safely in minutes,
If your willing to setup the equipment in a lab setting and play with it till the config meets your needs then that would work.
Just not a good idea to play guinea pig with a live connected system.
If you want to block something going through router, it’s done in “/ip firewall filter”, chain=forward, and rules are processed from top to bottom. Default firewall blocks unsolicited traffic from WAN and allows everything else. But you can change it as you like, allow some stuff and unconditionally block the rest as you’re used to. Lists of addresses can be created in “/ip firewall address-list” and used in rules with src/dst-address-list=.
Why is this advice offending? It is an advice, you don’t like it, but its in no way offending.
Anav probably thinks (and I have to admit I also think a bit like this) if you do not know what is chain “forward” - traffic through the router, “input” - traffic into the
router (for management , DNS etc) then becoming the admin of a server/router of a company is probably not the best idea.
If you just never came across such wording but you are IT expert (or familiar), then reading the Wiki and in 5 minutes you know what forward and input chains are etc.
and how to use it. And then you would have very precised questions as well.
PS: grouping: I assume you mean create IP based address list that you can then filter on or allow traffic in firewall? → this is available in IP/firewall/address list for instance.