Which sequence configures SSH to listen on port 2222 and restrict access to 192.168.0.0/24 while dropping others?

• A. /ip service ssh set port=2222; /ip firewall filter add chain=input src-address=192.168.0.0/24 protocol=tcp port=2222 action=accept; /ip firewall filter add chain=input protocol=tcp port=2222 action=drop
• B. /ip service ssh set port=2222; /ip firewall filter add chain=input src-address=192.168.0.0/24 protocol=tcp port=2222 action=deny; /ip firewall filter add chain=input protocol=tcp port=2222 action=accept
• C. /ip service ssh set port=2222; /ip firewall filter add chain=input src-address=0.0.0.0/0 protocol=tcp port=2222 action=accept; /ip firewall filter add chain=input protocol=tcp port=2222 action=drop
• D. /ip service ssh set port=2222; /ip firewall filter add chain=input src-address=192.168.0.0/24 protocol=tcp port=2222 action=accept; /ip firewall filter add chain=input protocol=tcp port=2222 action=drop

Answer: (A)

The sequence works because it tightens SSH access by port and source, and relies on rule order. First, you configure SSH to listen on the non-standard port 2222. Then you add a rule that allows only the 192.168.0.0/24 network to reach port 2222. Finally, you add a drop rule for port 2222 that applies to all other sources. Since firewall rules are evaluated from top to bottom, the allowed subnet will be accepted by the first rule, and the subsequent drop rule will catch any other source addresses trying to reach port 2222, effectively denying them.

This approach ensures SSH is reachable only from 192.168.0.0/24 while all other sources are blocked. The other options either block the allowed subnet, allow everyone, or place the drop in a way that would override the intended restriction.