hello all
my network 82.15.xx.0/24
i have need drop all DNS request from Internet to my network !
that's mean :
Internet ( udp 53 Request ) -----> 82.15.xx.0/24 ---Drop
82.15.xx.0/24 -----> Internet ( udp 53 Request ) ---Allow
thanks
Re: drop all dns request from Internet to my network
You have to drop all unwanted incoming packets from Internet generally.
Re: drop all dns request from Internet to my network
how to detect unwanted incoming packets in firewall ?You have to drop all unwanted incoming packets from Internet generally.
are you means : connections state ?
Re: drop all dns request from Internet to my network
drop input chain with dst port 53 protocol udp on outside interface.
and the generic approach drop input chain in outside interface not established.
and the generic approach drop input chain in outside interface not established.
Re: drop all dns request from Internet to my network
for raw table;
for filter;
Or
Code: Select all
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface=WAN protocol=udp
Code: Select all
/ip firewall filter
add action=reject chain=input comment=DNS dst-port=53 protocol=udp reject-with=icmp-port-unreachable
add action=reject chain=input comment=DNS dst-port=53 protocol=tcp reject-with=icmp-port-unreachable
Code: Select all
/ip firewall filter
add action=drop chain=input comment=DNS dst-port=53 protocol=udp
add action=drop chain=input comment=DNS dst-port=53 protocol=tcp
add action=drop chain=foward comment=DNS dst-port=53 protocol=udp
add action=drop chain=foward comment=DNS dst-port=53 protocol=tcp
Re: drop all dns request from Internet to my network
Dropping port 53 is really insufficient. Get inspiration from documentation:
https://wiki.mikrotik.com/wiki/Manual:I ... c_examples
https://wiki.mikrotik.com/wiki/Manual:I ... c_examples
Who is online
Users browsing this forum: Bing [Bot] and 35 guests