/ip firewall filter
{in forward chain}
add action=accept chain=forward comment=
" Allow Port Forwarding" connection-nat-state=dstnat
/Ip firewall nat
add action=dst-nat chain=dstnat comment=Technical-Panel dst-port=zz
in-interface-list=WAN protocol=tcp src-address-list=AllowedTechnicians
to-addresses=192.168.z.zz
In my case, NAT is setup to allow access to a specific device on port zz and to a specific LANIP on my network
The request is coming in one one of my two WANIPs (depending which one is working (primary and secondary wans)/
I then ensure ONLY authorized external users have access by adding the source address firewall list.
( I suppose one could spoof an external WANIP but unlikely. In addition the device has a very unique username and password)
By the way, when using a source address list the associated port becomes INVISIBLE when port scanned.
If I dont put in a source address list definition, then the port shows as VISIBLE and closed when port scanned.
So there is an added benefit to using a source firewall address list that is not clearly documented.
The firewall rule above simply allows packets that have not matched previous rules, that are coming from NAT processing and are identified as dst-nat packets to be processed/forwarded (++++)
-accept established related packets
-drop invalid packets
-allow lan to wan packets
-allow internal to internal traffic
++++++++++++++++++++++++++++ and is followed by
-drop all else rule
So to answer your question, without a source address, anybody scanning your ports may see that port and could attempt to connect to it. However how one knows which program should be used to access that port is unknown to me. How does one know if its FTP, VM, SSH etc… or a specific game port, UNLESS its on a STANDARD port for that functionality.
Thus one thing folks can do is port translation or simply change the port on the device, server etc…
Lets say the activity is SSH on port 22. Well change the SSH port to 2300 and just tell your users to come in on that port vice standard.
Port translation is effective when one cannot change the server port #, its fixed.
We can still tell the external uses to come in on port 2300 and through the NAT rule change it back to 22
/Ip firewall nat
add action=dst-nat chain=dstnat comment=Technical-Panel *dst-port=2300 *
in-interface-list=WAN protocol=tcp src-address-list=AllowedTechnicians
to-ports=23 to-addresses=192.168.z.zz
So we can change port so the functionality of the port is not obvious, and lastly we can ensure a strong username and password is in effect when using the right program to access server functionality. This typically means a non-standard user name and a strong password 20+ random characters letters, symbols, numbers etc…
Of course depending upon the value of the information, usually corresponds to the level of ‘interest’ or resources applied to get in!!!
If extremely valuable, then access after successful VPN tunnel entry is safer.
I would never recommend having a server available for dst nat, UNLESS
a. have a firewall address list for source address in NAT rule
b. strong username, password combination.
otherwise, without the above…
data or functionality is not critical and server is NOT connected to the rest of my LAN (vlan separation for example).