How can I block access from Winbox.

NAB · July 25, 2011, 3:05pm

Hi,

I have a RB493. It’s running ROS 5.5.

I want to block all access from WinBox clients on ‘ether4’, unfortunately I don’t seem to be able to do so.

If I create the following three rules:

/ip firewall filter
add action=drop chain=input disabled=no in-interface=ether4
add action=drop chain=output disabled=no out-interface=ether4
add action=drop chain=forward disabled=no

and then plug a PC into ether4, I can still connect Winbox to the MAC address of the router. The interesting thing is that the packet count for dropped packets on the input chain increases and I see absolutely no traffic matching the rule in the output chain.

The worrying thing is that the firewall appears to be working (input chain rule count incrementing), but it clearly isn’t. What other kinds of traffic can bypass the filter?

fewi · July 25, 2011, 3:09pm

You can’t filter MAC address layer access to Winbox in the IP firewall. MAC-winbox runs on layer 2, the IP firewall runs on layer 3.

If you need to limit who has layer 2 access to Winbox delete or disable the item for all interfaces under “/tool mac-server mac-winbox” and add in specific entries for the interfaces you want to permit it from.

That said on all my production machines I disable all layer 2 access to the router completely. Either you access it via layer 3, or via the console port.

NAB · July 25, 2011, 3:43pm

Argh. Major attack of the stupids. I knew this, I know I knew this. I just got caught up with the incrementing packet counts and stopped thinking.

Thank you!