I have some trouble with a firewall configuration:
I have blocked everything in forward chain except traffic towards some IP addresses included in a IP address list.
It works like a charm.
Now I would like to populate IP address list dynamically using an L7 rule. I have add a mangle rule in prerouting chain to check against L7 rule and add address to allowed IP list.
Unfortunately it doesn't work. It seems forward drop rule is executed before mangle prerouting rule to populate this list.
This is my firewall forward chain related configuration
This is my firewall L7 related configuration
/ip firewall filter add action=accept chain=forward comment="forward - accept all connections from lan to allowed ips" packet-mark=lan-wan-allowed-ips add action=drop chain=forward comment="forward - drop all connections from lan" disabled=yes in-interface-list=lan out-interface-list=wan
This is my firewall mangle prerouting chain related configuration
/ip firewall layer7-protocol add name=raspbian regexp="^(.*Host: .*rasp.*)"
Thank you all
/ip firewall mangle add action=add-dst-to-address-list address-list=allowed-ips address-list-timeout=none-dynamic chain=prerouting comment="add to destination address list raspberry repositories" connection-mark=no-mark dst-address-list=!allowed-ips dst-port=80 in-interface-list=lan layer7-protocol=raspbian protocol=tcp add action=mark-connection chain=forward comment="mark packets to allowed ips and ports" dst-address-list=allowed-ips in-interface-list=lan new-connection-mark=lan-wan-allowed-ips out-interface-list=wan passthrough=yes add action=mark-packet chain=forward comment="mark packets allowed" connection-mark=lan-wan-allowed-ips new-packet-mark=lan-wan-allowed-ips passthrough=no