In a switch chip filter rule (actually a CCR2216) is it OK to use a single rule with only the “dst-port” (or “src-port”) without specifying the “mac-protocol” (IP) and “protocol” (both TCP and UDP)?
Said in another way: if I need to block port X for both TCP and UDP, I need to use two rules or can I simply use one rule without specifying the protocol? Or maybe not specifying the protocol could cause any undetermined result?
Thanks.
I would imagine the rule does not function with out specifying the protocols. How would it know where to look for the value?
True.
A feature I would really love to see is the possibility to create a “service group”, for example to say that DNS is (tcp/53, udp/53) and be able to create a rule that refers to that “service group”, without the need to specify udp or tcp in the rule.
Or at least the ability to create a group of ports.
Well, I’d suppose that if the rule contains a “dst-port” (or “src-port”) than the hardware automatically first checks that “prototocol = TCP OR protocol = UDP”…
We are talking about switch (that is, “hardware”) filter rules, so I think they should remain as simple and raw as possible.
Yes, you need to specify the protocol for each.
However, as a general rule of thumb, a better way to set up your firewall rules is to explicitly specify what you want to allow, and at the end of each chain, have a drop everything rule.
For example:
add action=drop chain=forward comment=\
"Drop any forward packets that get this far."
This as opposed to specifically dropping things that you want to drop, and allowing everything else.
I’ll repeat it again: we are talking about SWITCH FILTER RULES!!!
That is, rules implemented in hardware by the switch chip: /interface/ethernet/switch/rule
We are not talking about normal firewall (software) rules.
Thanks.
Noted. I don’t do anything in switching or bridging in any of my routers - just routing. All switch function is done in separate switches.