Community discussions

 
boyerinc
just joined
Topic Author
Posts: 1
Joined: Fri Feb 05, 2016 9:05 pm

Web page exception for blocked TCP Port

Wed Mar 02, 2016 4:16 pm

Is is possible to provide an exception to allow access for a web page which requires a TCP port which is dropped by a filter rule? Using routeros 6.28.
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Web page exception for blocked TCP Port

Wed Mar 02, 2016 5:05 pm

I'll take a stab at an answer and say wouldn't a allow filter rule for the website placed above the drop rule work?
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Web page exception for blocked TCP Port

Wed Mar 02, 2016 6:29 pm

Hi,in firewall you can deny what you want then allow everything else or allow what you want then deny everything else,it's all about rules order which can be done with dragging them up or down in winbox
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Web page exception for blocked TCP Port

Wed Mar 02, 2016 7:12 pm

By "web page" - if you mean a specific host on the Internet, then yes.
/ip firewall filter
add chain=forward action=accept protocol=tcp dst-port=12345 dst-address=x.x.x.x \
comment="allow tcp 12345 to host x.x.x.x"
add chain=forward action=drop protocol=tcp dst-port=12345
comment="block tcp 12345 to all other hosts on the Internet"
This example allows tcp/12345 when the destination is a particular IP address, but the next rule blocks tcp/12345 unconditionally. Since the rules are processed in order, this will allow this port to host x.x.x.x but not to any other IP address in the entire Internet.

Of course you don't need a block rule explicitly on 12345 and right afterwards - if the default rule is to drop everything on all ports if it hasn't been authorized yet, then of course tcp/12345 would be getting dropped as well.

However - this won't allow a specific web page on this specific server, but block other pages hosted on the same port on the same IP.

i.e. you can't use the firewall to allow:
http://x.x.x.x:12345/Good.html
while blocking:
http://x.x.x.x:12345/*

Only the HTTP proxy feature can do that.
(technically, the Layer7 protocol matching feature can do it, but I personally hate using Layer7 feature in a firewall rule chain, and besides, it doesn't work for SSL-protected sites anyway)
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 28 guests