Hi,
We have a server appliance with a static public IP address on our LAN. We want to restrict access to it from the Internet to people who have been authenticated by our Linux+Apache server.
My idea is to put a Mikrotik board (we have a 532 on hand to experiment with, but would probably use a 133 for production) between the LAN and our T-1 connection, and use it to firewall the appliance.
As users sign into/out of the Apache server, it would send an updated IP filter chain to the Mikrotik to enable only the IPs of the authenticated user(s) to access the appliance’s IP address. Since only one outside user (occasionally 2, for remote admin) would be allowed at a time, and access only changes a few times per hour, a complete rewrite of the appliance’s filter chain via a telnet/ssh connection is no big deal.
Unfortunately, the reference manual only describes how to add entries to a chain, not how to delete entries or chains. Is this not possible? Or is it just not documented?
The other question is whether something horrible is likely to happen if a packet for the appliance comes in while its chain is being deleted and replaced. I.e., the input chain would have an entry in it like:
dst-address=99.99.99.5 action=jump jump-target=appliance
It’s probably not cool to tell the filter code to jump to a chain that doesn’t exist 
Is it possible to just flush all the entries in a chain, the way you can with iptables?
Thanks,
Ran