Just to bust some myths, i re-did the connection to a device that doesn't have no firewall input filter protection for the winbox
port, but only the "allowed-address" type filterint in /ip service
. some claim, that it is possible to extract information from the device this way. it seems, it isn't.
whenever a TCP SYN is sent to the device from a source address, that is not listed in the "allowed-address" field of ip service, the device responds with a TCP reset (RST, ACK). that is, no tcp connection is established. TCP RST messages do not have payload.
all in all, i suppose the address filtering is taking place "service independent" like a set of auto-generated invisible firewall rules with "reject" action or using TCP-wrappers.
capture screenshot attached.
long story short: ip services address restriction is OK.
additional message: nowadays no network segment can be treated as "secure"
You do not have the required permissions to view the files attached to this post.