Is is possible to provide an exception to allow access for a web page which requires a TCP port which is dropped by a filter rule? Using routeros 6.28.
I’ll take a stab at an answer and say wouldn’t a allow filter rule for the website placed above the drop rule work?
Hi,in firewall you can deny what you want then allow everything else or allow what you want then deny everything else,it’s all about rules order which can be done with dragging them up or down in winbox
By “web page” - if you mean a specific host on the Internet, then yes.
/ip firewall filter
add chain=forward action=accept protocol=tcp dst-port=12345 dst-address=x.x.x.x \
comment="allow tcp 12345 to host x.x.x.x"
add chain=forward action=drop protocol=tcp dst-port=12345
comment="block tcp 12345 to all other hosts on the Internet"
This example allows tcp/12345 when the destination is a particular IP address, but the next rule blocks tcp/12345 unconditionally. Since the rules are processed in order, this will allow this port to host x.x.x.x but not to any other IP address in the entire Internet.
Of course you don’t need a block rule explicitly on 12345 and right afterwards - if the default rule is to drop everything on all ports if it hasn’t been authorized yet, then of course tcp/12345 would be getting dropped as well.
However - this won’t allow a specific web page on this specific server, but block other pages hosted on the same port on the same IP.
i.e. you can’t use the firewall to allow:
http://x.x.x.x:12345/Good.html
while blocking:
http://x.x.x.x:12345/*
Only the HTTP proxy feature can do that.
(technically, the Layer7 protocol matching feature can do it, but I personally hate using Layer7 feature in a firewall rule chain, and besides, it doesn’t work for SSL-protected sites anyway)