Skip to content

Firewall

WIP

Add a rule

How to allow traffic from 10.10.1.12 and interface ether4 to 10.0.2.24 in port ether5 and port 443.

ip firewall filter add chain=forward action=accept protocol=tcp src-address=10.10.1.12/32 dst-address=10.10.2.24/32 in-interface=ether4 out-interface=ether5 dst-port=443 log=no comment="Comment"

Add a rule in a specific place

ip firewall filter add place-before=60 chain=forward action=passthrough

Search rule

ip firewall filter print where comment="something"

Remove

ip firewall filter remove numbers=63

Show counters

ip firewall filter print stats

Show current connections

ip firewall connection print

Filter

ip firewall connection print where src-address="192.168.1.54:80" protocol="tcp" dst-address="192.168.1.98:45653"
ip firewall connection print where src-address ~"192.168.1.54:"
ip firewall connection print where src-address ~"192.168.1.54"
ip firewall connection print where src-address ~"192.168.1."
ip firewall connection print where src-address ~"192.168."

Port knocking

/ip firewall filter add action=add-src-to-address-list address-list="step1" address-list-timeout=30s chain=input dst-port=9000 protocol=tcp

/ip firewall filter add action=add-src-to-address-list address-list="step2" address-list-timeout=30s chain=input dst-port=6000 protocol=tcp src-address-list="step1"

/ip firewall filter add action=add-src-to-address-list address-list="step3" address-list-timeout=30s chain=input dst-port=3000 protocol=tcp src-address-list="step2"

# Add as many as you want

/ip firewall filter add chain=input src-address-list="step3" action=accept

/ip firewall filter add action=drop chain=input

/ip firewall connection print where src-address !="192.168.1.25:2222" and dst-address !="192.168.1.18:54926"