Which sequence implements a basic SSH allow from management workstation only and drop others on the input chain?

• A. /ip firewall filter add chain=input src-address=<management-workstation-ip> protocol=tcp port=22 action=drop
• B. /ip firewall filter add chain=input src-address=<management-workstation-ip> protocol=tcp port=22 action=accept; /ip firewall filter add chain=input action=drop
• C. /ip firewall filter add chain=input src-address=<management-workstation-ip> protocol=tcp port=22 action=accept
• D. /ip firewall filter add chain=input action=drop

Answer: (B)

Rule order and how matches are evaluated in MikroTik firewall are what this tests. In RouterOS, packets are checked against the input chain rules from top to bottom, and the first rule that matches determines the action. To allow SSH only from a specific management workstation and drop everything else, you place an explicit allow rule for that IP and port first, then add a catch-all drop rule for all other input.

This pattern works because the first rule matches SSH (TCP port 22) coming from the management workstation and allows it. Any other input, or SSH attempts from other sources, won’t match the first rule and will be handled by the second rule, which drops all remaining input. So you end up permitting SSH from that single source and blocking everything else on input.

The other options don’t achieve this behavior: one would drop the management workstation’s SSH, which defeats the allow goal; another would allow SSH from the management workstation but wouldn’t block other input traffic; and the last would drop everything on input, including SSH from the management workstation.