Community discussions

 
bluemoon
just joined
Topic Author
Posts: 16
Joined: Sat Jan 17, 2015 10:22 am

Deny All Traffic Rule

Mon Feb 29, 2016 10:41 am

I don't want to write 50+ rules to deny different type of traffic. I like to allow specify few http https browsers rules and after that I like to deny all other traffic e.g virus chain, FTP, DNS, RDP, VPN requests etc from WAN interface.

Can anyone please help to configure something like

Permit HTTP HTTPS RDP from 192.168.1.0 192.168.2.0 and Deny all other inbound traffic
 
User avatar
ShayanFiroozi
Member Candidate
Member Candidate
Posts: 284
Joined: Sat Jun 01, 2013 12:44 pm
Location: Bandar Abbas , Iran

Re: Deny All Traffic Rule

Mon Feb 29, 2016 12:03 pm

Hi,

it's easy , first of all accept any traffic you need , then deny all traffics !!!

*** BE CAREFUL : filtering rules order is very important here , you could deny any access to the router , then you should reset its configuration
Last edited by ShayanFiroozi on Mon Feb 29, 2016 4:09 pm, edited 1 time in total.
The price of your knowledge which you have to pay is to share it with others !!
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Deny All Traffic Rule

Mon Feb 29, 2016 2:22 pm

Since you are wanting to allow traffic only from 2 /24 subnets, you want to start by creating an address-list for those 2 networks.
/ip firewall address-list
add address=192.168.1.0/24 list=Allowed_Networks
add address=192.168.2.0/24 list=Allowed_Networks
Next you will need to create the rule(s) to allow the traffic to pass through the router.
/ip firewall filter
add chain=forward dst-port=3389,80,443 protocol=tcp src-address-list=Allowed_Networks comment="Allow Traffic"
You can check that this rule is being used by enabling the log option.

Then add your default deny rule when you are happy.
/ip firewall filter
add action=drop chain=forward  src-address-list=Allowed_Networks comment="Default Deny Rule"
These rules wont affect traffic to the router itself, but only control what traffic is passing through it.
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME

Who is online

Users browsing this forum: MSN [Bot] and 34 guests