Community discussions

MikroTik App
 
stormeporm
newbie
Topic Author
Posts: 44
Joined: Sun Dec 30, 2012 12:39 pm

feature request ros 7

Tue Feb 16, 2016 11:45 pm

Could you add the possibility to create firewall filter sets?
When I create a ssh brute force block set of rules to show them as 1 rule an add the possibility to watch inside the set and see the different rules this set is build on.
It would make the firewall rule list a lot more organized and easier to move stuff around.
For the people who dont like it add a print option thats shows it in the regular way or make a setting out of it.

Thanx in advance
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: feature request ros 7

Wed Feb 17, 2016 3:10 am

You can already group rules by a "chain" that you jump into. After that grouping, you can then filter based on chain name, thus showing only the related rules.
 
jarda
Forum Guru
Forum Guru
Posts: 7756
Joined: Mon Oct 22, 2012 4:46 pm

feature request ros 7

Wed Feb 17, 2016 8:29 am

I was thinking to reply the same. But the mentioned sets of rules are probably something slightly different than just chain. But anyway I don't think it could help to anything.
 
stormeporm
newbie
Topic Author
Posts: 44
Joined: Sun Dec 30, 2012 12:39 pm

Re: feature request ros 7

Wed Feb 17, 2016 10:25 am

I meant it as an visual change just to make the list of firewall rules shorter and more organized.
I use the CLI a lot and when the list gets long its gets pretty annoying to find where a rule is.

When I have this random list of firewall rules I would like to collapse the first 9 rules into one line. scroll down for example :

0 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no
log-prefix=""

1 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no
log-prefix=""

2 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no
log-prefix=""

3 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no
log-prefix=""

4 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0 log=no
log-prefix=""

5 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no
log-prefix=""

6 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no
log-prefix=""

7 chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no
log-prefix=""

8 ;;; deny all other types
chain=icmp action=drop log=no log-prefix=""

9 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix=""

10 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix=""

11 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix=""

12 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139 log=no
log-prefix=""

13 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix=""

14 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix=""

15 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no
log-prefix=""

16 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix=""

17 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix=""


Like this

0-8 ;;; icmp set to do bla with icmp


9 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix=""

10 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix=""

11 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix=""

12 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139 log=no
log-prefix=""

13 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix=""

14 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix=""

15 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no
log-prefix=""

16 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix=""

17 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix=""


If there is a better way of doing this I'm all ears :) Thanks for the input already.

Who is online

Users browsing this forum: astelsrl, fibracapi, VinceKalloe and 83 guests