I’m seeking out a way of making router drop all packets of all IP’s,except those i listed as safe.
I created a filter rule to drop all connection on entire 192.168.137.0/24 IP pool,and that part worked,but when i add another rule afterwards,rule that allows packets for specific IP,it wont let it,but instead it keeps on the original block.
I want to make a system that on default doesnt let anyone connect to the internet,except those i excluse via its static IP.
It is about the order you put on the firewall filter. The rules which would allow the traffic should be put before/above the rule that drops it.
As you know , all firewall’s rules match from Top-To-Bottom , so when you want to drop all connection and then accept any connection you must add drop any any roles in the bottom of the list and then accept any traffic you want , for example : I want to filter all traffic through the router but i need to accept a "Microsoft SQL database management system server " so ;
/ip firewall filter
add action=accept chain=forward comment=“Microsoft SQL database management system sever”
port=1433 protocol=tcp
/ip firewall filter
add action=drop chain=forward comment=“Drop all Traffic” \
The second point is when firewall survey the rules from Top-To-Bottom first match is greater than the other rules it means if your firewall find a rule according to that protocol or ip that you need to accept for example protocol=443 just for ip address=192.168.x.100 and then deny this traffic for all src address in your network (for example= 192.168.x.0/24) just first match (192.168.x.100) can use protocol=443 .
Best regards,
Indeed.
Many thanks to replies,it’s working like a charm now.