Community discussions

 
stephenjs79
just joined
Topic Author
Posts: 3
Joined: Sun Sep 10, 2017 8:59 am

IP Firewall Filter rule preference

Thu Jul 11, 2019 4:53 am

Hi All,

New to Mikrotik. Loving it so far. Trying to move away from an archaic PIX.

I have done all the initial setup and created a few address lists and now adding my firewall filter rules.

I am wondering the best way to allow http/https traffic and if my rules are correct.

add action=accept chain=forward dst-port=80,443 protocol=tcp src-address-list="Our MPLS Network"
or
add action=accept chain=forward dst-port=80,443 in-interface-list=inside protocol=tcp

Thanks in advance
Stephen
 
havelkao
just joined
Posts: 4
Joined: Thu Aug 06, 2015 10:35 am

Re: IP Firewall Filter rule preference

Thu Jul 11, 2019 12:28 pm

Hi,
it depends on your network,
src-address-list ~ this is list of networks like 192.168.1.1, 172.16.1.1....
in-interface/list ~ this is interface related list like ether1, ether2...
 
mkx
Forum Guru
Forum Guru
Posts: 2468
Joined: Thu Mar 03, 2016 10:23 pm

Re: IP Firewall Filter rule preference

Thu Jul 11, 2019 4:01 pm

Once I already wrote: potential malicious user can easily spoof src-address but can hardly spoof in-interface ... if you care about security, you have to keep this in mind. However, many times it's not this simple and one has to use a combination of both.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 46 guests