Community discussions

MikroTik App
  4. RouterOS
  5. General

Allow only tcp 80,443 but why ping can also be allowed

Post Reply
 
chum
just joined
Topic Author
Posts: 13
Joined: Sun Feb 24, 2019 12:01 pm

Allow only tcp 80,443 but why ping can also be allowed

Sat Dec 21, 2019 5:44 am

Hello,
add action=drop chain=forward dst-port=!80,443 protocol=tcp src-address=\
192.168.1.50

I only want to the machine 192.168.1.50 only use tcp 80,443 but why it can also ping internet.
Top
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:
Contact Njumaen

Re: Allow only tcp 80,443 but why ping can also be allowed

Sat Dec 21, 2019 8:46 am

Because ping is not tcp but icmp!

https://en.wikipedia.org/wiki/Ping_(networking_utility)
Top
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Allow only tcp 80,443 but why ping can also be allowed

Sat Dec 21, 2019 10:14 am

Hi Chum
In an effort to be a bit more helpful than Njumaen,
Your rule blocks all TCP connections that are not dst for 80,443
However ICMP(Ping) will not be processed by this rule.
If you want to block everything except TCP80,433 then you'll need another rule under that
Code: Select all
/ip firewall filter
add action=drop chain=forward src-address=192.168.1.50
Remember though you might want to add some permit rules to allow for DNS and other services the host might use.
I hope this helps
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13060
Joined: Thu Mar 03, 2016 10:23 pm

Re: Allow only tcp 80,443 but why ping can also be allowed

Sat Dec 21, 2019 4:17 pm

This won't work.

OP's rule works because there's an implicit allow all rule at the end. TCP port 80 and 443 are passed by OP's rule, but firewall filter rules are processed further. If there's markmcn's rule further down the list, that one would drop http and https as well.

So if one goes the (recomended) way of "drop everything which is not allowed before", then OP's rule has to be inverted ... to "action=allow dst-port=80,443"
Top
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Allow only tcp 80,443 but why ping can also be allowed

Sat Dec 21, 2019 6:56 pm

@mkx
Thank you for correcting my mistake, I was still waking up!!
Below is what should work
Code: Select all
/ip firewall filter
add action=accept chain=forward dst-port=80,443 protocol=tcp src-address=192.168.1.50
add action=drop chain=forward src-address=192.168.1.50
Top
Post Reply

Who is online

Users browsing this forum: sindy and 83 guests
  4. RouterOS
  5. General