Hi all:
I have tried a few different ways, I cannot seem to make any thing work properly.
I have a 750Gl that I have a webserver behind. It’s address is 10.30.1.70/24.
I had a problem with it getting hacked, after rebuilding it and hopefully fixing my vulnerabilities, I want to go a little further by denying any possible outgoing viruses that might get through in the future. The easiest way I can figure out, is to close all outgoing ports except 53 & 80.
I want to allow my webserver to get updates, so I need to allow outgoing port 80 & 53. My webserver is also on port 80.
I have tried the configs below. The first works great to block everything outgoing except port 80 & 53. But using it seems to nullify my port forward to the same server on port 80. Any help would be appreciated.
Glenn
/ip firewall filter
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=53
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=53
add chain=forward action=accept src-address=10.30.1.0/24 protocol=udp dst-port=53
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=udp src-port=53
add chain=forward action=accept src-address=10.30.1.0/24 protocol=tcp dst-port=80
add chain=forward action=accept dst-address=10.30.1.0/24 protocol=tcp src-port=80
add chain=forward action=drop
With a forward like this:
/ip firewall nat
add action=dst-nat chain=dstnat comment=“Access to Webserver NAT Rule” disabled=no
dst-port=80 protocol=tcp to-addresses=10.30.1.70 to-ports=80