Community discussions

MUM Europe 2020
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

firewall rule to dst host

Tue Jun 09, 2009 5:03 pm

Hello everybody,

I got simple question. is there any chance to add firewall rule to DST host not to DST IP

example

I need to add this rule

add action=accept chain=forward comment="" disabled=no dst-address=217.31.55.217 dst-port=40000-50000 in-interface=eth2-LAN out-interface=eth1-WAN protocol=tcp src-address=192.168.1.0/24

BUT instead of dst-address=217.31.55.217 I need to add HOST update.atlascon.cz

Is this possible?
THX lot
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: firewall rule to dst host

Tue Jun 09, 2009 5:59 pm

is there any chance to add firewall rule to DST host not to DST IP
Yes, but not directly. You'll have to write a script which resolves the hostname and updates the firewall rule accordingly. You'll then have to schedule the script to run regularly.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: firewall rule to dst host

Tue Jun 09, 2009 6:16 pm

Yes, but not directly. You'll have to write a script which resolves the hostname and updates the firewall rule accordingly. You'll then have to schedule the script to run regularly.
Thanks, but this is unnecessarily complicated :(

In the future, will be any chance to make setup simpler ? like some command (dst-host) or something like this?
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: firewall rule to dst host

Tue Jun 09, 2009 6:41 pm

if you want complicated then tell the router to resolve that hostname for every single packet that traverses that rule. ouch.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: firewall rule to dst host

Wed Jun 10, 2009 1:32 pm

...this is unnecessarily complicated
On the contrary, this is necessarily complicated. How do you think it should be done (bearing in mind changeip's comments about resolving the hostname for every packet)?
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: firewall rule to dst host

Wed Jun 10, 2009 1:37 pm

yes, if you have 500 firewall rules (as many do) and each packet that is directed to some host needs to cause a DNS resolve request, your router will just go insane :)
No answer to your question? How to write posts
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8345
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: firewall rule to dst host

Thu Jun 11, 2009 1:20 pm

but MT may internally implement something like the script mentioned above: periodically check for IP address changes for selected DNS names and correct firewall rules accordingly
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: firewall rule to dst host

Thu Jun 11, 2009 5:57 pm

but MT may internally implement something like the script mentioned above: periodically check for IP address changes for selected DNS names and correct firewall rules accordingly
this is great idea



may be someone so nice and write me this script?
I would be very grateful
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: firewall rule to dst host

Thu Jun 11, 2009 6:30 pm

...periodically check for IP address changes for selected DNS names and correct firewall rules accordingly
Thinking about this, this could be quite easy to implement from our side rather than on the MT side.

If we create an address list entry for every host we want to query in this way and refer to the address list in the firewall rules, then all we need to do is write a script which runs periodically (say every hour) to update the address list with the correct address. For example:
/ip firewall address-list add address=0.0.0.0 comment=www.mikrotik.com list=host_mikrotik
/ip firewall filter add chain=output dst-address-list=host_mikrotik action=reject
and then a script which updates every address from the address list which starts 'host_' with the IP address of the host mentioned in the comments:
# define variables
:local list
:local comment
:local newip

# Loop through each entry in the address list.
:foreach i in=[/ip firewall address-list find] do={

# Get the first five characters of the list name
  :set list [:pick [/ip firewall address-list get $i list] 0 5]

# If they're 'host_', then we've got a match - process it
  :if ($list = "host_") do={

# Get the comment for this address list item (this is the host name to use)
    :set comment [/ip firewall address-list get $i comment]

# Resolve it and set the address list entry accordingly.
    :set newip [:resolve $comment]
    /ip firewall address-list set $i address=$newip
    }
  }
That makes it very easy and quite flexible.

Except... If the host name doesn't exist, the ':resolve' action fails, the whole script dies and nothing after that entry gets changed. I've mentioned this before and (in my opinion) this is a fundamental flaw in the design of the ':resolve' action. I believe that it should return '0.0.0.0' or 'unknown' or something which we can then test for within the script. Just because a hostname doesn't resolve, doesn't mean there's anything wrong - I would like to be the judge of whether or not to crash out rather than have the router arbitrarily decide for me.

Anyway, rant over. I think this is quite an elegant solution to the problem.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
Krusty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: firewall rule to dst host

Fri Jun 12, 2009 10:41 pm

[quote="NAB"][/quote]

flawless, seems to work perfectly
thanks lot
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: firewall rule to dst host

Tue Jun 16, 2009 3:42 pm

Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je

Who is online

Users browsing this forum: lamclennan, nowinskit, PwFactor and 102 guests