Community discussions

 
syadnom
Member
Member
Topic Author
Posts: 405
Joined: Thu Jan 27, 2011 7:29 am

feature request, auto firewall nat rules

Sun Jul 08, 2018 5:22 pm

I'd love for the firewall to automatically open ports matching NAT entries.

If I NAT port 80 in ether1 to an on ether2, I'd like to see a firewall rule dynamically created that is in-interface-ether1, port 80.
 
Sob
Forum Guru
Forum Guru
Posts: 4813
Joined: Mon Apr 20, 2009 9:11 pm

Re: feature request, auto firewall nat rules  [SOLVED]

Sun Jul 08, 2018 5:34 pm

Why? You can already do:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
It will allow any dstnatted connection, which may sound dangerous but no connection can get this state, unless it's processed by dstnat, so it doesn't open any security holes. What would be the advantage of suggested feature compared to this?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: feature request, auto firewall nat rules

Sun Jul 08, 2018 5:35 pm

You can use this FW rule to accept all NATed connections:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
EDIT: damn, Sob beat me to it :(
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
syadnom
Member
Member
Topic Author
Posts: 405
Joined: Thu Jan 27, 2011 7:29 am

Re: feature request, auto firewall nat rules

Sun Jul 08, 2018 5:49 pm

How did I not know this!
 
Sob
Forum Guru
Forum Guru
Posts: 4813
Joined: Mon Apr 20, 2009 9:11 pm

Re: feature request, auto firewall nat rules

Sun Jul 08, 2018 6:58 pm

It's relatively new (since 6.22, according to changelog). Well, that was in 2014, but still...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: Google [Bot] and 87 guests