Hi All,
our client devices connected with PPPoE got attacked and many of our devices became useless. Do you have any suggestions for firewall rules that can be used to take precautions?
Thanks lot
Re: firewall advice to pppoe_client customers
Default firewall rules in latest versions already have protection in such setups.
Re: firewall advice to pppoe_client customers
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Last edited by amt on Wed Mar 21, 2018 2:30 pm, edited 2 times in total.
Re: firewall advice to pppoe_client customers
WAN and LAN are interface lists. You just need to edit WAN interface list.
Re: firewall advice to pppoe_client customers
Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp
add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1
add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
Re: firewall advice to pppoe_client customers
Thanks mrz,WAN and LAN are interface lists. You just need to edit WAN interface list.
also I would like to add this rules also but Im not sure the order of the rules, can i add this rule end of the default config ? or
Code: Select all
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
Re: firewall advice to pppoe_client customers
Thanks Steveocee for your help.Basic one but usable, of course you need to change the in-interface to match your pppoe client interface name (pppoe_out1 is the default);
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1 add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface=pppoe-out1 add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1 add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface=pppoe-out1 add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1 add action=accept chain=input comment="ACCEPT ICMP" in-interface=pppoe-out1 protocol=icmp add action=drop chain=input comment="DROP ALL" in-interface=pppoe-out1 add action=drop chain=forward comment="DROP ALL" in-interface=pppoe-out1
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
Code: Select all
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1 if I want to make it more secure and give access to only some special ip's to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;
Code: Select all
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
/ip firewall filter
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp
add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udpRe: firewall advice to pppoe_client customers
I generally use both forward and input in tandem, same rules for each. It just adds some extra assurance for your clients behind the router.Thanks Steveocee for your help.
I think the difference between the mikrotik default firewall config and your firewall is that foward chain . mikrotik default firewall rules not used foward chain.
Yes, this makes it so that you don't have to add separate rules for each port forward you add.the rule above for port fowarding ?Code: Select alladd action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface=pppoe-out1
You don't need those specific rules. A simple drop all would suffice as long as you have an allow established and related at the top.if I want to make it more secure and give access to only some special ip's to not get attack to customers what can I do ? cause our equipment s which has public ip on their wan interface affected from attack and became unusable
so I thought I would add these rules too;Code: Select all/ip firewall address-list add address=10.10.2.10 comment="Admin Network" list=admin /ip firewall filter add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp add action=drop chain=input comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=tcp add action=drop chain=forward comment="drop connection for ports" dst-port=22,2200,23,8291 protocol=udp
Re: firewall advice to pppoe_client customers
Many Many Thanks Steveocee...
here is last one..
I think this is enough for protect customer device and internet. do i need add port scanner rules also ?
Thanks a lot.
here is last one..
Code: Select all
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
Thanks a lot.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: firewall advice to pppoe_client customers
I will suggest you remove the in-interface on the following rules.
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN
add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="DROP ALL" in-interface-list=WAN
add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
Re: firewall advice to pppoe_client customers
Hi CZFan thank you very much for your help and support.. I combined Steveocee advice and yours and here is resultI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
I hope this will help me to secure connection for Cpe and customer. thank you and Steveocee again.Code: Select all
/interface list add name=WAN
/interface list add name=LAN
/interface list member add interface=[/interface ethernet find] list=LAN
/interface list member add interface=[/interface pppoe-client find] list=WAN
/ip firewall address-list add address=10.10.10.30 comment="Admin" list=secureAdmin
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
/ip firewall filter add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=input comment="DROP ALL"
add action=drop chain=forward comment="DROP ALL"
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set ssh port=2200
/ip service set address=10.10.10.30 [/ip service find]
/user set address=10.10.10.30 [/user find]
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip settings set rp-filter=strict
/ip firewall service-port disable [/ip firewall service-port find]
Re: firewall advice to pppoe_client customers
Assuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I'd leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
Re: firewall advice to pppoe_client customers
Hi Mkx thanks for your answerAssuming your pppoe runs on top of some ethernet interface (presumably ether1), is it safe to add all ether interfaces to LAN list? I'd leave that particular one out. If pppoe runs on top of sfp1 interface then your config is OK.
all customer devices are SXT or LHG and they have only one Ethernet, I will try to put these firewall rules with program to more than 1 device at same time over telnet. So I prefer to use this method because some times technicians changes Ethernet interface name like Home or DVR, or some time they change pppoe_client name like internet.
Thanks
Re: firewall advice to pppoe_client customers
Should drop invalid be in front of accept connected and established? It seems better if you get rid of the invalid packet first so it won't flow down the rest of the filter rules.
Re: firewall advice to pppoe_client customers
Good question SOLAR!! One that bugs me daily.
My logic, twisted as it is, tells me its best to match the majority of packets soonest and thus one would expect that is the case for legitimate traffic.
The 'bad' traffic is in the minority and thus it can be handled after.
Put in another way, why force good traffic (the majority of traffic) to be compared to drop rules first....................
My logic, twisted as it is, tells me its best to match the majority of packets soonest and thus one would expect that is the case for legitimate traffic.
The 'bad' traffic is in the minority and thus it can be handled after.
Put in another way, why force good traffic (the majority of traffic) to be compared to drop rules first....................
Re: firewall advice to pppoe_client customers
Order should be
established,related first
then drop invalid.
Due to reasons anav already mentioned.
established,related first
then drop invalid.
Due to reasons anav already mentioned.
Re: firewall advice to pppoe_client customers
The functionality that is used to get rid of traffic before Filter Rules is the application of RAW rules.
This assumes no connection and thus no inspection of the traffic to see if it matches filter parameters and thus is not the place for the filter rules noted previously, but is an excellent place for address lists that the OP wants blocked..........
examples, country block, blacklist block, etc.........
It also appears common to 'catch' incoming traffic that is illegitimate, drop it but also capture the source address, and add this address to a temporary list 24 hr for example,
The address list created is then applied in a RAW rule, so that such traffic is not even seen at the connections point from thereonin for at least 24 hours.
Its this kind of approach, that I find, in a nerdy way, freakin kewl! In SteveO vernacular, almost a woody!
This assumes no connection and thus no inspection of the traffic to see if it matches filter parameters and thus is not the place for the filter rules noted previously, but is an excellent place for address lists that the OP wants blocked..........
examples, country block, blacklist block, etc.........
It also appears common to 'catch' incoming traffic that is illegitimate, drop it but also capture the source address, and add this address to a temporary list 24 hr for example,
The address list created is then applied in a RAW rule, so that such traffic is not even seen at the connections point from thereonin for at least 24 hours.
Its this kind of approach, that I find, in a nerdy way, freakin kewl! In SteveO vernacular, almost a woody!
Re: firewall advice to pppoe_client customers
So I can start to use these rules
Re: firewall advice to pppoe_client customers
Hi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
when remove in interface from Drop All customer cant accesses to internet.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: firewall advice to pppoe_client customers
Hi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
when remove in interface from Drop All customer cant accesses to internet.
Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:
Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)
Re: firewall advice to pppoe_client customers
okay rules should be like that if i understand correctlyHi CZFanI will suggest you remove the in-interface on the following rules.
Code: Select all/ip firewall filter add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related in-interface-list=WAN add action=drop chain=forward comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP invalid" connection-state=invalid in-interface-list=WAN add action=drop chain=input comment="DROP ALL" in-interface-list=WAN add action=drop chain=forward comment="DROP ALL" in-interface-list=WAN
when remove in interface from Drop All customer cant accesses to internet.
Add rules for and place above drop rules - This is to allow only new connection from inside to outside, not the other way around:
Allow, forward chain, connection-state=new, in-interface-list=LAN (To access internet)
Allow, input chain, connection-state=new, in-interface-list=LAN (to access Router for DNS, Management, etc)
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="ACCEPT established & related" connection-state=established,related
add action=accept chain=input comment="ACCEPT established & related" connection-state=established,related
add action=drop chain=forward comment="DROP invalid" connection-state=invalid
add action=drop chain=input comment="DROP invalid" connection-state=invalid
add action=accept chain=input comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="SecureConnection For Admin" src-address-list=admin
add action=accept chain=forward comment="ACCEPT DST-NAT'D" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=accept chain=forward comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=accept chain=input comment="ACCEPT New" connection-state=new in-interface-list=LAN
add action=drop chain=input comment="DROP ALL"
add action=drop chain=forward comment="DROP ALL"
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: firewall advice to pppoe_client customers
Order should be
established,related first
then drop invalid.
Due to reasons anav already mentioned.
The other side of this coin is router resources are held up by unwanted/invalid packets (although in normal conditions will be minimal, but I assume can change at anytime by virus, etc) traversing through the FW rules
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: firewall advice to pppoe_client customers
Why do you want this rule? Except if needed for monitoring, ICMP traffic will work just fine if initiated from inside, and then the following will be allowed by established, related rule without rule below
Then these rules, how are you going to manage the router, i.e. config changes?
Code: Select all
add action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
Code: Select all
add action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
Re: firewall advice to pppoe_client customers
I removed it.Why do you want this rule? Except if needed for monitoring, ICMP traffic will work just fine if initiated from inside, and then the following will be allowed by established, related rule without rule below
Code: Select alladd action=accept chain=input comment="ACCEPT ICMP" in-interface-list=WAN protocol=icmp
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Then these rules, how are you going to manage the router, i.e. config changes?Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
Code: Select all
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: firewall advice to pppoe_client customers
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp
Code: Select all
/ip firewall
address-list add address=10.10.2.10 comment="Admin Network" list=admin
Ok, rather change above rules then and add src-address-list=!admin, the exclamation mark means "not" i.e.
Code: Select all
add action=drop chain=input src-address-list=!admin comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
Re: firewall advice to pppoe_client customers
for these rules I add this rule below, so I thought that only admin can manage the router other's will be doped.Code: Select alladd action=drop chain=input comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=input comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp add action=drop chain=forward comment="drop connection for Admin special ports" dst-port=22,23,8291,8728,8729 protocol=udpCode: Select all/ip firewall address-list add address=10.10.2.10 comment="Admin Network" list=admin
Ok, rather change above rules then and add src-address-list=!admin, the exclamation mark means "not" i.e.
Code: Select all
add action=drop chain=input src-address-list=!admin comment="drop connection for admin special ports" dst-port=22,23,8291,8728,8729 protocol=tcp
Yesy certainly..
Re: firewall advice to pppoe_client customers [SOLVED]
Great thanks to everyone for their helps...
Who is online
Users browsing this forum: No registered users and 158 guests