Community discussions

MikroTik App
 
parawaw692
just joined
Topic Author
Posts: 2
Joined: Thu Mar 25, 2021 1:27 am

Firewall does not drop ssh connection by local name

Thu Mar 25, 2021 1:47 am

Hello guys,

I would like to block SSH connetcions from machine in one network, to server on another network.
So I have created following ip firewall filter rule:

chain=forward action=drop protocol=tcp src-address=192.168.122.1 dst-address=192.168.222.1 dst-port=22

Everything works well and drop the SSH connection when I use IP address to ssh connection, like that

# ssh 192.168.222.1

but when I use local dns name, like that:

# ssh server.local

Firewall filter does not drop that connection.

What I need to do block that connections?

BTW, All network addresses are bridget and I have set "Use IP Firewall" in bridge settings.
 
parawaw692
just joined
Topic Author
Posts: 2
Joined: Thu Mar 25, 2021 1:27 am

Re: Firewall does not drop ssh connection by local name

Sat Mar 27, 2021 4:48 pm

Nobody know the answer? Really?

If anybody wants to know the answer is... ipv6 module!
If that module is disabled or uninstalled all ipv6 packets are passed through by the firewall ip filter... no comments, that is stupid because everyone think that if I disable or uninstall ipv6 module that packets are blocked.

If you really want to disable ipv6 on your router do not uninstall ipv6 module. You should install it and just add to ipv6 filter (yes, there is separated firewall only for ipv6) following rules:
chain=forward action=drop
chain=input action=drop
chain=output action=drop

Thats all.
I hope helped.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall does not drop ssh connection by local name

Sat Mar 27, 2021 5:25 pm

The only reason why IPv6 matters in your case is that server.local somehow resolves to IPv6 address.

BTW, bridging two L3 subnets and then using bridge filters (or switch ACLs if you were using some real switch for that) to block traffic is, mildly put, weird. And since your OP was extremely scarce with details, nobody could think of such a problem. Most forum members assume posters would do their own research before asking questions. With ssh connections it's pretty easy to check the connection origin and by doing it one would spot if it's an IPv6.

BTW2, IPv4 and IPv6 are distinct L3 protocols. Just because they can transport same L4 protocols (TCP, UDP, ESP, ...) doesn't mean they should share same configuration subtree (I'm not saying they should not) ... I don't think anybody would push IPX or DECnet or NBF firewall/filter rules in same configuration sack with IP.

Who is online

Users browsing this forum: carrionlee, infabo and 52 guests