i would like to block ssh and other services on the router and all devices under it. i use two rules
/ip firewall filter
add chain=input action=drop in-interface=WAN protocol=tcp dst-port=22 comment=“drop ssh” disabled=no
add chain=forward action=drop in-interface=WAN protocol=tcp dst-port=22 comment=“drop ssh” disabled=no
but i still can see the port open and not filtered in nmap , so what is the issue??
It’s hard to tell (you don’t tell where you ran nmap, from WAN or from LAN), but it seems to me that your filters are slightly FU.
The first says drop any connection to ssh port of router itself if connection request comes from WAN.
The second says drop any connection to ssh port if forwarded and request enters via interface ether1. Actually screenshot tells other story (blocks ssh attempts initiated from WAN).
You don’t have any filter dropping connection to ssh port on router if initiated from LAN ports. If you want to drop ssh connections from LAN as well, it would be better to entirely disable ssh service on router.
If your text description is true, thenyou don’t have any filter dropping connections to ssh ports on any device if connection request does not originate on ether1 port. If you want to disable ssh access to LAN hosts originating from WAN, then you should implement filter rule similar to the first one you already have, but chain=forward. If you’re using NAT, then this step is generally not needed unless you have dst-nat for SSH port. Screenshot says you already have this rule, so I’m confused.
i wanted to drop it from wan not from WAN for now and for the forward it is WAN not Eth1 as in screenshot my minstake. it is okey it is working now i just needed to wait for a while
Posting screenshots of firewall rules is useless, because it’s not clear what other options are hidden. If I’d go just by your screenhot, I’d have to assume that you allow all udp and tcp traffic by rules 10 and 11. The comments mention dns, but there’s no port visible, so it might be anything. I guess you have some src-address-list option there, because following rules also have some hits.
And if rule 23 is unconditional drop (again, I can only guess), then you won’t ever get a single hit on rule 24, because nothing can get there.
So next time, RouterOS has nice and useful command “export” (best run in Terminal as “/export hide-sensitive”).