Community discussions

MikroTik App
 
giannici
newbie
Topic Author
Posts: 29
Joined: Thu May 11, 2017 4:17 pm

switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 2:08 pm

In a switch chip filter rule (actually a CCR2216) is it OK to use a single rule with only the "dst-port" (or "src-port") without specifying the "mac-protocol" (IP) and "protocol" (both TCP and UDP)?

Said in another way: if I need to block port X for both TCP and UDP, I need to use two rules or can I simply use one rule without specifying the protocol? Or maybe not specifying the protocol could cause any undetermined result?

Thanks.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 4:46 pm

I would imagine the rule does not function with out specifying the protocols. How would it know where to look for the value?
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 5:37 pm

True.

A feature I would really love to see is the possibility to create a "service group", for example to say that DNS is (tcp/53, udp/53) and be able to create a rule that refers to that "service group", without the need to specify udp or tcp in the rule.

Or at least the ability to create a group of ports.
 
giannici
newbie
Topic Author
Posts: 29
Joined: Thu May 11, 2017 4:17 pm

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 7:00 pm

I would imagine the rule does not function with out specifying the protocols. How would it know where to look for the value?
Well, I'd suppose that if the rule contains a "dst-port" (or "src-port") than the hardware automatically first checks that "prototocol = TCP OR protocol = UDP"...
 
giannici
newbie
Topic Author
Posts: 29
Joined: Thu May 11, 2017 4:17 pm

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 7:03 pm

A feature I would really love to see is the possibility to create a "service group", for example to say that DNS is (tcp/53, udp/53) and be able to create a rule that refers to that "service group", without the need to specify udp or tcp in the rule.

Or at least the ability to create a group of ports.
We are talking about switch (that is, "hardware") filter rules, so I think they should remain as simple and raw as possible.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1579
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 7:55 pm

Said in another way: if I need to block port X for both TCP and UDP, I need to use two rules or can I simply use one rule without specifying the protocol?
Yes, you need to specify the protocol for each.

However, as a general rule of thumb, a better way to set up your firewall rules is to explicitly specify what you want to allow, and at the end of each chain, have a drop everything rule.
For example:
add action=drop chain=forward comment=\
    "Drop any forward packets that get this far."
This as opposed to specifically dropping things that you want to drop, and allowing everything else.
 
giannici
newbie
Topic Author
Posts: 29
Joined: Thu May 11, 2017 4:17 pm

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 8:13 pm

I'll repeat it again: we are talking about SWITCH FILTER RULES!!!

That is, rules implemented in hardware by the switch chip: /interface/ethernet/switch/rule

We are not talking about normal firewall (software) rules.

Thanks.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1579
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

Thu Dec 07, 2023 8:18 pm

Noted. I don't do anything in switching or bridging in any of my routers - just routing. All switch function is done in separate switches.

Who is online

Users browsing this forum: gkoleff, Xtremer and 31 guests