I have seen a few people asking for TCP & UDP being allowed in a single rule in firewall/nat/mangle, but why not take it a bit further?
I would really like an option like Address Lists, but for different protocols/ports.
I create a "Service Group" called "IPSec_VPN". This service group would contain:
protocol UPD, dsp port 500
Then I could create a firewall/NAT/Mangle rule which would use the "Service group" with the same functionality as we can use Address Lists for addresses.
A single rule that would match for multiple conditions as defined in the "Service Group"
A sample firewall config would be like this:
/ip firewall filter # input chain add action=accept chain=input connection-state=established,related add action=drop chain=input connection-state=invalid add action=accept chain=input limit=5,5 service-group="ICMP WAN" add action=accept chain=input service-group="ROS Management WAN" in-interface=ether1-WAN add action=accept chain=input service-group="ROS Management LAN" in-interface=ether2-LAN add action=accept chain=input service-group="ROS VPN" src-address-list="VPN Partners" add action=drop chain=input # forward chain add action=accept chain=forward connection-state=established,related add action=drop chain=forward connection-state=invalid add action=accept chain=forward in-interface=ether2-LAN out-interface=ether1-WAN comment="Allow LAN -> WAN" add action=accept chain=forward dst-address=XXX.XXX.XXX.XXX service-group="HTTP" add action=accept chain=forward dst-address=XXX.XXX.XXX.XXY service-group="DNS" add action=accept chain=forward dst-address-list=Servers limit=2,2 service-group="ICMP Servers" add action=drop chain=forward
Address Lists would be defined:
The Address List "Servers" would contain IPs XXX.XXX.XXX.YYY XXX.XXX.XXX.ZZZ The Address List "VPN Partners" would contain IPs XXX.XX.X.YZ XXX.XX.XYZ.YZ XX.XYZ.XY.XY
And Service Groups would be defined:
The Service Group "ROS Management LAN" would contain dst-port=5678,20561 protocol=udp dst-port=22,8291 protocol=tcp The Service Group "HTTP" would contain dst-port=80 protocol=tcp dst-port=443 protocol=tcp The Service Group "DNS" would contain dst-port=53 protocol=tcp dst-port=53 protocol=udp The Service Group "ICMP Servers" would contain icmp-options=0:0-255 protocol=icmp icmp-options=3:3 protocol=icmp icmp-options=3:4 protocol=icmp icmp-options=8:0-255 protocol=icmp icmp-options=11:0-255 protocol=icmp The Service Group "ROS Management WAN" would contain dst-port=8291 protocol=tcp The Service Group "ICMP WAN" would contain icmp-options=0:0-255 protocol=icmp icmp-options=3:3 protocol=icmp icmp-options=3:4 protocol=icmp icmp-options=8:0-255 protocol=icmp icmp-options=11:0-255 protocol=icmp The Service Group "ROS VPN" would contain protocol=UDP dst-port=500 protocol=ipsec-esp protocol=encap protocol=ipip
These are just examples. Personally, this would really clean up my firewall chains and NAT table.
Any discussion on the topic is welcomed!