output port control

Eliminateur · October 8, 2010, 4:14pm

Hello,
how do i control to which ports can the internal LAN clients access?
i want to setup so that they can access a specific set of services as i’m seeing some strange traffic that eats my BW, so i added a rule on the forward chain with accept forward 80, 8080 on tcp
then i have a couple of block all rules on the input and forward chain with all drops

the rule is doing nothing, as i’m seeing with torch a ton of UDP packets from lan to wan…

these are my rules:

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Accept established input" connection-state=established disabled=no
add action=accept chain=input comment="accept related input" connection-state=related disabled=no
add action=accept chain=input comment="" disabled=no dst-address=255.255.255.255 dst-port=5678 in-interface=ether3-local-master protocol=udp
add action=drop chain=input comment="drop invalid input" connection-state=invalid disabled=no
add action=drop chain=forward comment="drop invalid forward" connection-state=invalid disabled=no
add action=drop chain=input comment="detect and drop port scan connections" disabled=no protocol=tcp psd=21,3s,3,1
add action=accept chain=forward comment="accept new connections" connection-state=new disabled=no
add action=accept chain=forward comment="" disabled=no dst-port=80,8080 protocol=tcp
add action=accept chain=forward comment="allow related forward" connection-state=related disabled=no
add action=accept chain=forward comment="accept established forward" connection-state=established disabled=no
add action=accept chain=input comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 in-interface=ether3-local-master protocol=udp
add action=accept chain=input comment="Allow ICMP ping" disabled=no icmp-options=8:0-255 limit=50/5s,2 protocol=icmp
add action=drop chain=forward disabled=no
add action=drop chain=input comment="default configuration" disabled=no

the last drop forwrd rule gets no hits at all, the established one takes everything away…, any ideas on how to implement a “allow XX ports only”? i’ve searched the examples and found nothing of much use or simplicity

fewi · October 8, 2010, 4:20pm

add action=accept chain=forward comment="accept new connections" connection-state=new disabled=no
add action=accept chain=forward comment="" disabled=no dst-port=80,8080 protocol=tcp

You need to combine those two rules. You’re first accepting ALL packets that form new connections, even ones to ports other than 80 and 8080. Every new connection matches the first rule. After that, you’re later on accepting all established traffic, which is every subsequent packet for all those new connections you accepted in the first place.

add action=accept chain=forward comment="accept new connections" connection-state=new disabled=no dst-port=80,8080 protocol=tcp