Community discussions

 
meszaroskrisztian
just joined
Topic Author
Posts: 3
Joined: Sun Apr 22, 2018 6:53 pm

Allow only one specified port to a LAN host

Sun Apr 22, 2018 6:59 pm

Dear all,
I would set up a firewall rule, to allow only VNC port 5900 in-out to a specified LAN host:
For example 192.168.88.100 want to communicate to WAN (Internet) direction only on port 5900.
All other ports has to be blocked.
Any suggestions?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Allow only one specified port to a LAN host

Sun Apr 22, 2018 9:01 pm

/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN action=drop
You can add more ports to each tcp & udp rule like “port=53,5900,6000-6100” if you need more out going ports.
Last edited by 2frogs on Sun Apr 22, 2018 9:49 pm, edited 1 time in total.
 
JB172
Member
Member
Posts: 306
Joined: Fri Jul 24, 2015 3:12 pm
Location: AWMN

Re: Allow only one specified port to a LAN host

Sun Apr 22, 2018 9:43 pm

Replace the action=accept with action=drop in last rule
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Allow only one specified port to a LAN host

Sun Apr 22, 2018 9:50 pm

Replace the action=accept with action=drop in last rule
Oppps! I corrected it.
 
meszaroskrisztian
just joined
Topic Author
Posts: 3
Joined: Sun Apr 22, 2018 6:53 pm

Re: Allow only one specified port to a LAN host

Tue Apr 24, 2018 9:43 am

Perfect!!!
Works well, also works without allowing UDP 5900.
Thanks, appreciated :-) !!
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: Allow only one specified port to a LAN host

Wed Apr 25, 2018 6:27 pm

/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
[/quote]
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
 
mkx
Forum Guru
Forum Guru
Posts: 3187
Joined: Thu Mar 03, 2016 10:23 pm

Re: Allow only one specified port to a LAN host

Wed Apr 25, 2018 9:56 pm

Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
Theoretically IP can carry protocols other than TCP and UDP ... so if one really wants to pass only TCP or UDP, then she can't omit protocolin FW rule.
BR,
Metod
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Allow only one specified port to a LAN host

Wed Apr 25, 2018 10:37 pm

/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
You better watch it, I might swell up like a toad!

But, to answer your question, NO! The reason is you are dropping everything not matching the first rule. In th OPs case, since he only needed TCP, he could use only the first one.
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: Allow only one specified port to a LAN host

Wed Apr 25, 2018 10:52 pm

Argggg you are correct!!
My logic is flawed. I must keep in mind that when a rule is matched, game over!!
Frogs legs for supper! ;-)

Who is online

Users browsing this forum: MSN [Bot] and 27 guests