Wed Jun 09, 2021 9:01 am
Switches don't have notion of connections ... they only see frames. So with switch it's not possible what you're after. Some switches support ACLs where you can select certain L3/L4 properties of frames which should be dropped. You can try to use that functionality to mimic connection-awareness. For example: RDP uses TCP port 3389 on server side while client side uses random port. If you construct ACL triggering on IP protocol TCP and IP dst combination of <server IP>:3389 and set that to be allowed while dropping all other traffic in same direction ... Keep in mind that connection tracking is the most resource expensive operation of a statefull firewall you'll understand that it's almost impossible to mimic it using simple ACLs.
Routers have notion of connections and firewalls can deal with such situations. If both ports serve same L3 subnet, then you would have to go with bridge setting use-ip-firewall=yes ... but beware that this means all traffic of that bridge has to pass CPU which most of times means massive performance hit. If ports belong to different subnets, then what you're after is almost trivial to do.