![]() (blocked hosts) which you must manually detect and react to. It allows everything except specific exceptions. However, this firewall 'mode' is not the best for a secure filter. ip firewall filter add chain=output dst-address-list=blacklist action=drop I rarely use the output chain in Mikrotiks, but this is one place I will do it: ip firewall filter add chain=input src-address-list=blacklist action=drop So for instance, to accomplish what the original poster asked, you would add the offending IP address to the blacklist and have a rule in the input chain: In Winbox / Webfig, the address list matchers are in the 'advanced' tab. You match an address list in your rules by using the criteria: src-address-list=blacklist or dst-address-list=blacklist If all of the chains refer to the same address list, changing the address list immediately affects all of the rules which refer to it. ![]() It's especially helpful because without the address list, if you have nat rules and filter rules and masquerade rules all having to do with the same set of addresses, if you add or remove any addresses from the set, then you'd have to go update all of your chains. Then you can use this list in any rule in any chain of any table of the firewall. Code: Select all /ip firewall address-list
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |