Firewall setup - Block all inbound but allow all outbound

QpoX · May 3, 2008, 9:46pm

I want to block all inbound trafic on all ports but have port 80 tcp and port 3389 tcp and port 27000-27050 TCP/UDP open.

But when i make this:
add action=accept chain=forward comment=“RDP” disabled=no dst-address=xxx.xxx.xxx.123 dst-port=3389 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment=“HTTP” disabled=no dst-address=xxx.xxx.xxx.123 dst-port=80 protocol=tcp src-address=yyy.yyy.yyy.0/28
add action=accept chain=forward comment=“TF2” disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=tcp
add action=accept chain=forward comment=“TF2” disabled=no dst-address=xxx.xxx.xxx.123 dst-port=27000-27050 protocol=udp
add action=drop chain=forward comment=“BLOCK ALL” disabled=yes dst-address=xxx.xxx.xxx.123

It does not work, i can’t even ping out from xxx.xxx.xxx.123 or get any trafic out (look at websites and so on).
Is there something that i don’t get about the way the firewall in RouterOS is working?
But the RDP and HTTP works??? (and can connect to the RDP running on xxx.xxx.xxx.123 and look at the HTTP server running on it).
And when i disable the “BLOCK ALL” rule it all works, but the machine is expose’d to the net.

jwcn · May 3, 2008, 11:16pm

Use IP - services to turn off inbound services.

QpoX · May 3, 2008, 11:50pm

It’s not to the box it self thies rules are for. but a server on a subnet…

jwcn · May 4, 2008, 1:56am

Are you routing public addresses or nat?

QpoX · May 4, 2008, 2:34am

I’m routing public addresses and this server is on a /30

jwcn · May 4, 2008, 3:12am

Check out the Wiki. I think you will find your answer there.

savagedavid · May 4, 2008, 8:41pm

A simple way would be to masquerade the network if you dont mind having a natted output. This will effectively hide your network behind the router but still allow all outgoing traffic.

Currently the last rule in your list will drop ALL traffic in the forward chain, in and out, so the result you are getting is expected.

QpoX · May 4, 2008, 9:20pm

Did not find anything usefull

Have had that ideer in my head, but i wanted it on it’s own IP free of NAT…
But how do a block all indbound and only allow trafic in that i want open? and allow all outbound trafic?

jwcn · May 5, 2008, 2:51am

Dmitri’s firewall rules. Read the wiki.

QpoX · May 5, 2008, 3:29am

Will do…

andrewluck · May 7, 2008, 1:41pm

Before the final drop rule add this:

chain=forward action=accept connection-state=established

Regards

Andrew