In order to facilitate management control and increase the security of Router-OS devices, I suggest that the incoming connection settings in IP Services be adjusted as follows:
- See Attached Images
a) Add the option that allows to define in which interface the service will be listening through Interface-List.
- It’s the same method that is already used in Neighbor Discovery
- Deamon of SSH / HTTP and probably the others already have this feature natively. In “sshd_config” this is done with the parameter “ListenAddress”
- This is controlled by the service itself, and would not depend on firewall settings, thus avoiding the loss of Fast-Path which is a precious resource.
- This would allow removing from the list of interface those that have valid IPs, avoiding that these services are publicly exposed to possible exploits.
b) Instead of using the “available from” field that already exists today, this is replaced by an “Address-List” that will be manipulated in the “/ ip firewall”
- This change would facilitate the configuration automation process through scripts, especially for environments with many devices.
