Fri Jan 18, 2019 8:37 pm
Not so fast.........
It depends upon the fiilter rules in place.
For example I have drop all else rules at the end and work on the principle of - if its not permitted its dropped.
So my input rules are as such.....
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
Any other traffic on port 53 will be dropped by my last rule.
add action=drop chain=input comment="DROP ALL ELSE"
If you want to be slightly more paranoid you could always add these rules in the forward chain BEFORE
the first accept, established rule............
add action=drop chain=forward comment="Drop LAN DNS queries-UDP" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=forward comment="Drop LAN DNS queries - TCP" dst-port=\
53 in-interface-list=WAN protocol=tcp
However since I have a drop all else rule in my forward chain as the last rule, I dont think I need this.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!