Page 1 of 1

Allow only one specified port to a LAN host

Posted: Sun Apr 22, 2018 6:59 pm
by meszaroskrisztian
Dear all,
I would set up a firewall rule, to allow only VNC port 5900 in-out to a specified LAN host:
For example 192.168.88.100 want to communicate to WAN (Internet) direction only on port 5900.
All other ports has to be blocked.
Any suggestions?

Re: Allow only one specified port to a LAN host

Posted: Sun Apr 22, 2018 9:01 pm
by 2frogs
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=5900 action=accept
add chain=forward src-address=192.168.88.100 out-interface=WAN action=drop
You can add more ports to each tcp & udp rule like “port=53,5900,6000-6100” if you need more out going ports.

Re: Allow only one specified port to a LAN host

Posted: Sun Apr 22, 2018 9:43 pm
by JB172
Replace the action=accept with action=drop in last rule

Re: Allow only one specified port to a LAN host

Posted: Sun Apr 22, 2018 9:50 pm
by 2frogs
Replace the action=accept with action=drop in last rule
Oppps! I corrected it.

Re: Allow only one specified port to a LAN host

Posted: Tue Apr 24, 2018 9:43 am
by meszaroskrisztian
Perfect!!!
Works well, also works without allowing UDP 5900.
Thanks, appreciated :-) !!

Re: Allow only one specified port to a LAN host

Posted: Wed Apr 25, 2018 6:27 pm
by anavds
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
[/quote]
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.

Re: Allow only one specified port to a LAN host

Posted: Wed Apr 25, 2018 9:56 pm
by mkx
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
Theoretically IP can carry protocols other than TCP and UDP ... so if one really wants to pass only TCP or UDP, then she can't omit protocolin FW rule.

Re: Allow only one specified port to a LAN host

Posted: Wed Apr 25, 2018 10:37 pm
by 2frogs
/ip firewall filter
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=tcp port=!5900 action=drop
add chain=forward src-address=192.168.88.100 out-interface=WAN protocol=udp port=!5900 action=drop
Can this be simplified by only using two rules??
If so, is it fair to say, that frog is bloated LOL.
You better watch it, I might swell up like a toad!

But, to answer your question, NO! The reason is you are dropping everything not matching the first rule. In th OPs case, since he only needed TCP, he could use only the first one.

Re: Allow only one specified port to a LAN host

Posted: Wed Apr 25, 2018 10:52 pm
by anavds
Argggg you are correct!!
My logic is flawed. I must keep in mind that when a rule is matched, game over!!
Frogs legs for supper! ;-)