hello i have a big problem and i want to close all all my port and incoming trafic and outgoing trafic , first question by default mikrotik firewall close all trafic or all is open ? second important question how allow only 1 or 2 ip and port for incoming trafic and how allow 1 or 2 ip and port for outgoing trafic .
thx
Re: new bee questions about firewall
SEE ITEM B on this link!! - viewtopic.php?t=182373
After you have digested the first NOVICE CONFIG, and moved your config in that direction,
You can then further adjust the rules with an address list modifier.
NOTE: So all you will need to do is to modify this line to control outgoing WAN Traffic........
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN src-address-list="name of your choice"
Next if you also want to further limit access on those IPs by port......
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN scr-address-list="name of your choice' dst-ports=xxxxx,yyyyy,zzzzz
FOR INCOMING TRAFFIC, we do not usually let traffic to the router (input chain) unless its vpn traffic or through the router to the LAN (forward chain) unless its traffic for hosted servers.
Even then the default firewall provided at the link covers that, what some call port forwarding, in MT vernacular is called destination NAT.
The rules needed for port forwarding are constructed in the IP firewall NAT rules area. SEE ITEM D, on the link provided above and specifically scroll down to para 6.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Good info to digest:
USE OF INTERFACES AND FIREWALL ADDRESSES
The basic rules of thumb here are as follows:
1. USE Interface list for two or more whole subnets that will have associated firewall rules..
(Exception: The management or base interface by itself is normally given an interface list entry, and mainly due to use in several places on the MT router where a List entry is required!)
2. Any combination of users described by individual IP addresses should be contained in a firewall address list, and this includes:
a. Single or Group of IP addresses within a subnet, but not the whole subnet
b. Single or group of IP addresses from different subnets
c. Single or group of IP addresses AND one or more subnets
3. A firewall address list should not normally consist of a single Subnet, simply use dst-address=subnet or src-address=subnet, or the name of the interface which contains the single subnet, such as vlan20-home.
After you have digested the first NOVICE CONFIG, and moved your config in that direction,
You can then further adjust the rules with an address list modifier.
NOTE: So all you will need to do is to modify this line to control outgoing WAN Traffic........
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN src-address-list="name of your choice"
Next if you also want to further limit access on those IPs by port......
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN scr-address-list="name of your choice' dst-ports=xxxxx,yyyyy,zzzzz
FOR INCOMING TRAFFIC, we do not usually let traffic to the router (input chain) unless its vpn traffic or through the router to the LAN (forward chain) unless its traffic for hosted servers.
Even then the default firewall provided at the link covers that, what some call port forwarding, in MT vernacular is called destination NAT.
The rules needed for port forwarding are constructed in the IP firewall NAT rules area. SEE ITEM D, on the link provided above and specifically scroll down to para 6.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Good info to digest:
USE OF INTERFACES AND FIREWALL ADDRESSES
The basic rules of thumb here are as follows:
1. USE Interface list for two or more whole subnets that will have associated firewall rules..
(Exception: The management or base interface by itself is normally given an interface list entry, and mainly due to use in several places on the MT router where a List entry is required!)
2. Any combination of users described by individual IP addresses should be contained in a firewall address list, and this includes:
a. Single or Group of IP addresses within a subnet, but not the whole subnet
b. Single or group of IP addresses from different subnets
c. Single or group of IP addresses AND one or more subnets
3. A firewall address list should not normally consist of a single Subnet, simply use dst-address=subnet or src-address=subnet, or the name of the interface which contains the single subnet, such as vlan20-home.
Who is online
Users browsing this forum: Bing [Bot] and 88 guests