It seems that I have come across a possible issue when trying to use a DNS in the “Available From” fields. I see that I’m able to use an IP Address, why am I not able to use a DNS name instead?
because people don’t come ‘from’ DNS - i suppose sure you could put DNS record in there and have it resolve forward at a specific time or in intervals - or its possible to have it perhaps lookup PTR on an IP to see if it matches that field - but this is used primarily as a ‘firewall’ to stop auth from other IP’s - so its expecting an IP or subnet.
Having said that - I find this a bad way to limit service ports - as with this it still exposes the actual service to the web and just blocks auth - which means if an exploit is found to bypass auth you are still in trouble - my suggestion is always use ip firewall filter rules to lockdown service ports.
Joe,
Thanks for the insight, I do already use the Firewall to filter out those ports, I only use the service ports filter as a secondary. However, with regards to the putting my DNS name into the input field should be allowed, i just don’t see why not? I have a DDNS on my router (my routers IP Address might be changing soon to IDK what) and want the remote router to be able to use the new IP address which is why I wanted to put the DDNS name of my router on that field. Again, this is only used as a secondary. Its not that big of a deal, however, I dont see why this field should discriminate against DNS names being entered into this field.
It is not trivial to use DNS entries for this (or src-address / dst-address in firewall rules) as you can’t wait until DNS resolution has completed before continuing to process packets.
However, it is possible to use address lists with firewall rules (src-address-list / dst-address-list) which will accommodate the potentially multiple responses from a DNS lookup, the list contents can then be quickly searched during packet processing:
/ip firewall address-list
add address=some.domain.name list=admins
/ip firewall filter
add action=drop chain=input dst-port=8291 protocol=tcp src-address-list=!admins