Community discussions

 
glucz
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Jun 06, 2007 10:25 pm

Dynamic firewall rules question

Thu Mar 22, 2012 11:19 am

Hello,

I hope someone can help me with this. In my hotspot I want to set up firewall rules that allow specific users to access specific SMTP servers, but otherwise SMTP access would be blocked. Here is an example:

If source IP is 192.168.1.1 then access to target IP 88.88.88.1:25 is OK
If source IP is 192.168.1.2 then access to target IP 88.88.88.2:25 is OK
All other port 25 access is rejected

The difficulty is that the source/target pairs change on a daily basis and there are a lot of them. That means that I want to avoid having to write a firewall rule for each one. I would rather have a single firewall rule with address lists.

example:
if source IP is on LIST1 and target IP is on LIST1 then TCP,port(25) is OK
if source IP is on LIST2 and target IP is on LIST2 then TCP,port(25) is OK

My problem is that I cannot set up the rule to allow connections where the Src and Dest address lists are the same. I have to specify the exact name ... so this will not take me closer to my single rule goal ... unless there is a way to somehow use dynamic names or variables for the names of the address lists . Is this possible somehow? ... or maybe the name of the list could be a paremeter like the source IP address?

Another possible (half) solution is to group source IPs to a SOURCE list and target IPs to a TARGET list and use the following rule
if source IP is on SOURCE and target is on TARGET, then TCP,port(25) is OK
... but this still allows a lot of connections that I would rather not have.

Does anyone have a better idea on how to handle this situation?

Thanks
GL
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Dynamic firewall rules question

Thu Mar 22, 2012 11:39 am

/ip firewall filter add chain=smtp src-address-list=LIST1 dst-address-list=LIST1 protocol=tcp dst-port=25 action=accept
works for me - what part of this didn't work for you?

Wouldn't it be easier to set up your own SMTP relay/spam filter/whatever internally and only permit your hosts to talk to that?
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
glucz
Member Candidate
Member Candidate
Topic Author
Posts: 123
Joined: Wed Jun 06, 2007 10:25 pm

Re: Dynamic firewall rules question

Thu Mar 22, 2012 12:18 pm

Yes, that works for a single pair. I have a 1000 pairs that change from time to time. I don't want to have 1000 rules.

The problem with the internal email server is that when clients use the hotspot, they would have to switch their config to it, and switch away when they leave.

GL

Who is online

Users browsing this forum: No registered users and 72 guests