I don't want to write 50+ rules to deny different type of traffic. I like to allow specify few http https browsers rules and after that I like to deny all other traffic e.g virus chain, FTP, DNS, RDP, VPN requests etc from WAN interface.
Can anyone please help to configure something like
Permit HTTP HTTPS RDP from 192.168.1.0 192.168.2.0 and Deny all other inbound traffic
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: Deny All Traffic Rule
Hi,
it's easy , first of all accept any traffic you need , then deny all traffics !!!
*** BE CAREFUL : filtering rules order is very important here , you could deny any access to the router , then you should reset its configuration
it's easy , first of all accept any traffic you need , then deny all traffics !!!
*** BE CAREFUL : filtering rules order is very important here , you could deny any access to the router , then you should reset its configuration
Last edited by ShayanFiroozi on Mon Feb 29, 2016 4:09 pm, edited 1 time in total.
Re: Deny All Traffic Rule
Since you are wanting to allow traffic only from 2 /24 subnets, you want to start by creating an address-list for those 2 networks.
Next you will need to create the rule(s) to allow the traffic to pass through the router.
You can check that this rule is being used by enabling the log option.
Then add your default deny rule when you are happy.
These rules wont affect traffic to the router itself, but only control what traffic is passing through it.
Code: Select all
/ip firewall address-list
add address=192.168.1.0/24 list=Allowed_Networks
add address=192.168.2.0/24 list=Allowed_NetworksCode: Select all
/ip firewall filter
add chain=forward dst-port=3389,80,443 protocol=tcp src-address-list=Allowed_Networks comment="Allow Traffic"Then add your default deny rule when you are happy.
Code: Select all
/ip firewall filter
add action=drop chain=forward src-address-list=Allowed_Networks comment="Default Deny Rule"