Page 1 of 1
Block all outbound ports except DNS, Http and Https
Posted: Tue May 26, 2015 2:35 pm
by monkeybike
Hi All,
Very new to Microtik but have used other firewalls in the past. So have the basic concepts.
What I want to do is.
Block all outbound ports except DNS queries, Http and Https on my Wifi LAN Hostpsot I am running on ethernet 5
So way the unit is set
Ethernet 1 is WAN (internet connection
Ethernet 2 is LAN ( 192.168.1.0/24)
Ethernet 5 is a WIfi LAN Hotspot on 10.1.0.0/24
I want Ethernet 5 to be really restricted in terms of what it can go out and do.
Would also ideally like to block torrenting if thats possible.
I use Winbox, but have been doing some terminal commands.
Regards
Richy
Re: Block all outbound ports except DNS, Http and Https
Posted: Wed May 27, 2015 3:43 pm
by dgnevans
To block all ip traffic except the ones you listed
ip firewall filter
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=udp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=80
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=443
add chain=forward action=accept connection-state=established protocol=tcp
add chain=forward action=drop src-address=10.1.0.0/24 dst-address=0.0.0.0/0
The top two rules will allow dns traffic and number 3 http number 4 https. All other traffic on 10.1.0.0/24 network will be blocked.
I have found that if you configure your firewall filter rules to allow your normal ports (http,ftp,smtp,ssmtp etc etc) that are used then torrent applications don't work. If you want an idea I can post a copy of my firewall filter to give you an idea.
Re: Block all outbound ports except DNS, Http and Https
Posted: Thu May 28, 2015 12:13 pm
by monkeybike
Thanks DG
That worked a treat.
Richy
Re: Block all outbound ports except DNS, Http and Https
Posted: Sun May 02, 2021 2:22 am
by fctaddia
To block all ip traffic except the ones you listed
ip firewall filter
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=udp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=53
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=80
add chain=forward action=accept protocol=tcp src-address=10.1.0.0/24 dst-address=0.0.0.0/0 dst-port=443
add chain=forward action=accept connection-state=established protocol=tcp
add chain=forward action=drop src-address=10.1.0.0/24 dst-address=0.0.0.0/0
The top two rules will allow dns traffic and number 3 http number 4 https. All other traffic on 10.1.0.0/24 network will be blocked.
I have found that if you configure your firewall filter rules to allow your normal ports (http,ftp,smtp,ssmtp etc etc) that are used then torrent applications don't work. If you want an idea I can post a copy
of my firewall filter to give you an idea.
I have the problem that torrents no longer work even if several years have passed, it would be useful if I could turn over your configuration.
Re: Block all outbound ports except DNS, Http and Https
Posted: Tue Jun 20, 2023 6:55 pm
by sebus46
Either allow access from your torrent machine by IP or MAC OR figure out all the ports that torrent requires & allow them instead
Just a tiny bit of logic
Re: Block all outbound ports except DNS, Http and Https
Posted: Tue Jun 20, 2023 6:58 pm
by rextended
Just a tiny bit of logic
Surely that user waited for you, two years and a month later, for you to reply.
Don't resurrect posts in such a useless way,
just a tiny bit of logic.
Re: Block all outbound ports except DNS, Http and Https
Posted: Wed Jun 21, 2023 4:42 am
by anav
hahaha, how far back would one have to look to even find that thread.....................