IP Firewall Filter rule preference

stephenjs79 · July 11, 2019, 1:53am

Hi All,

New to Mikrotik. Loving it so far. Trying to move away from an archaic PIX.

I have done all the initial setup and created a few address lists and now adding my firewall filter rules.

I am wondering the best way to allow http/https traffic and if my rules are correct.

add action=accept chain=forward dst-port=80,443 protocol=tcp src-address-list=“Our MPLS Network”
or
add action=accept chain=forward dst-port=80,443 in-interface-list=inside protocol=tcp

Thanks in advance
Stephen

havelkao · July 11, 2019, 9:28am

Hi,
it depends on your network,
src-address-list ~ this is list of networks like 192.168.1.1, 172.16.1.1…
in-interface/list ~ this is interface related list like ether1, ether2…

mkx · July 11, 2019, 1:01pm

Once I already wrote: potential malicious user can easily spoof src-address but can hardly spoof in-interface … if you care about security, you have to keep this in mind. However, many times it’s not this simple and one has to use a combination of both.