This very simple firewall ruleset SHOULD work-- but.....

I’ve reduced everything down to the basics but it doesn’t seem to help…

The hardware is an RB5009 that simply has two interfaces (an OUT (FRC) and an IN (LAN). (There are firewalls upstrea.) The goal of the firewall ruleset at this point is:

• Allow everything out
  
  
  
• Allow return traffic in
  
  
  
• Allow SSH in if it’s going to host 199.181.204.130
  
  
  
• Drop everything else

There is no NAT at this point, so it’s just a set of “public IPs”

0 ;;; Allow anything out from the LAN to the tunnels
chain=forward action=accept in-interface=ether1-LAN
out-interface=ether2-FRC log=no log-prefix=“”

1 chain=forward action=accept protocol=tcp dst-address-list=199.181.204.130
dst-port=22 log=no log-prefix=“”

2 ;;; Allow active connections in
chain=forward action=accept
connection-state=established,related,untracked in-interface=ether2-FRC
out-interface=ether1-LAN log=no log-prefix=“”

3 chain=forward action=drop log=no log-prefix=“Drop it”

I can see the drop rule at the bottom catches everything – even the SSH-- - why?

change to this

chain=forward action=accept connection-state=established,related,untracked
chain=forward action=accept protocol=tcp dst-address=199.181.204.130 dst-port=22
chain=forward action=drop log=no log-prefix="Drop it"

Check if it works
About SSH I’m not sure, from your description can’t say what device or interface has 199.181.204.130 address, I’m assuming it is your FRC interface

OK – for my education at least Why does yours work and mine doesn’t – what is different? I see the order of the rules are different but they should say the same thing.

I don’t quite understand why – but dst-address-list, even if it has the same IP in it, is not dst-address. That works. Thanks ofr the help.

SSH rule because of address-list instead of address.
As for other traffic, I’m not sure. Rules are too complex and order is not optimal, but in theory should work.