address-list script timeout

omega-00 · June 10, 2010, 10:47am

Hey Guys,

Just wondering if there’s any way to set an address-list timeout via a script?
Seems as thou you can do it fine via the firewall rules but there’s no option to do so in the add command (via terminal or script)

Regards,
Omega-00

Chupaka · June 10, 2010, 2:57pm

yup, joining the feature request: possibility to add (at least via API, maybe scripting also =) ) dynamic address list items (I’d like not to write them on the disk, my program will recreate them in a minute even in case of reboot ). also I can’t find a way to see actual timeout of the entry…

janisk · June 11, 2010, 5:27am

it would be nice if you both could give some examples where to use these static/dynamic entries that will time out, where you cannot remove them when necessary after some time.

Chupaka · June 11, 2010, 10:47am

actually, I’d like to see the possibility to create dynamic entries, even without timeouts. because we use USB flash sticks to bootup our routers, and I don’t want to write all address lists changes to it. even if router will be rebooted (maybe once-twice a year), our management software will populate those lists in a few minutes, and that downtime isn’t worth everyday writes to the flash

p.s. about timeouts - I’d like to see, how long ago the user was added to the ‘blocked’ list )))

janisk · June 11, 2010, 1:33pm

as a workaround you can add entry and some comment on it, to remove it later by script.

Chupaka · June 11, 2010, 4:46pm

entries with timeouts are added via firewall rules… so no way =)

omega-00 · June 12, 2010, 5:49am

Hey Janis,

Are you asking for specific cases that would require it?

If so: http://forum.mikrotik.com/t/draft-ipv6-authentication-for-hotspots/38359/1 (Wow this guy is awesome, what a great script right? )

Would be really helpful if I could assign dynamic address list entries for any ipv6 addresses seen locally by the router.
In this case I’m already using the comment field to store the mac address however so I’ll work on storing a time value in there along with it and scrape the time data from it like that periodically.

Your point is valid however wouldn’t it make just as much sense to use the pre-existing ability to remove address-list entries rather than running / scheduling my own for everything?

Side notes re IPv6 address list:

[admin@Router] > ipv6 firewall address-list print 
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                                      ADDRESS                                    
 0   test                                                                                                                      2001:470:8902:1::2/128                     
[admin@Router] > ip firewall address-list print 
Flags: X - disabled, D - dynamic 
 #   LIST                                                                                                                                  ADDRESS                        
 0 D ssh_blacklist                                                                                                                         94.102.9.202

Will the ipv6 address-list continue to have the mask applied to single addresses?
Just noticed it when writing the above script so when comparing addresses to the address list I have to include the /128 in my code explicitly to match them
It also would appear that the new ipv6 address-list doesn’t support ranges, will this be added in future?

janisk · June 14, 2010, 8:18am

using ranges in IPv6 does not make much sense, because for customers you will use advertise most of the time, and address will be EUI64 standard, so what ranges you will enter there?, you can simply use networks of /64 addresses, as that is what you have to assign to one customer.

janisk · June 14, 2010, 8:24am

and back to adding addresses to the list - there is one weird way how to add dynamic address-list entries:

create management port (tunnel or actual interface)
for this interface add firewall rule, that will catch some interesting traffic, like (in pseudocode) add packets dst-address to list if src-address equals to some value

for this to work you will have to create packets, that are sent over this link to router. That way you can create quite extensive address lists in very short time, and depending on your firewall rule settings you can fill several address lists. with different time settings.

Chupaka · June 14, 2010, 8:35am

yeah, I was thinking about such setup for making a NET where client gets the internet directly, but must be authorized via some agent program running on his computer ))

then one more feature request - ‘action=remove-from-address-list’

but it would be much nicer if we can do it via API…

janisk · June 14, 2010, 8:58am

well, problem with remove is that is much much more expensive than addition and you want your firewall to work superfast. And here lays the problem, adding dynamic remove will slow things down and if used improperly, which it will, it will cause more grief than benefit anyone.

That is why you can somehow work around and add dynamic entries through firewall with time-out, so entries “remove themselves” and removal with some fancy script, that you run once in a minute. Thus maintaining approximately what is needed and still have fast firewall.

Chupaka · June 14, 2010, 9:47am

I’m not sure, what will be more expensive: either deleting 1 entry per minute, or “refreshing” 1000 entries per minute %)

anyway, it’s fun, not more. can we expect kind of /ip firewall address-list add dynamic=yes? is it so hard not to write changes to the disk? =)

omega-00 · June 14, 2010, 4:33pm

Good point; will the new IPv6 hotspot will have the ability to assign dynamic prefixes (eg a /64 range) per user?

dssmiktik · June 14, 2010, 5:18pm

If an added feature to the firewall may be used improperly, you might put a big warning on the Wiki about misuse of a particular feature. I would also like to see a remove-from-address-list action in firewall. Options are always good, just make sure users are informed of it’s pros and cons (same as layer7 warning about intensive cpu usage if used improperly).

I’ve been using comment field for array of settings (ex. “time=,setting2=value,setting3=value”). For now, this allows me to get capture settings of the particular address list entry. This however does write to disk though and won’t work on dynamic entries (I don’t think dynamic entries can have comments).

Feklar · June 14, 2010, 6:40pm

I can give you an example of where adding in a timeout feature to the a firewall address list without it being dynamic.

We are running hotspots, and sometimes end users fly bellow some of our filter rules that will block abuse, usually by setting their p2p software with a lower connection limit. We would like to add these users to the “abuse” list for a limited time, but don’t want to leave them in there as their DHCP lease can change, or they can check out and someone else will pick up the DHCP lease.

Right now the only way we can do that is make a firewall rule with their IP address listed and with the action of adding them to the address list with a timeout. Then after they pass traffic and are added to the list, remove the rule. It would be much simpler if we could just add an address to the list and set a timeout for that address.

janisk · June 15, 2010, 6:48am

this is all true, but look on this this way - you can use firewall to add entries dynamically, you detect these abuses using it, so there is no difference, once detected, address is added to list as dynamic with time-out value set, so make firewall in a way, that user can attempt abuse every 30 minutes.

about refresing 1000 or removing one - it is not the case. If you need static list, it is static it should be there, like secure addresses to connect from, bonog IP list to drop packets that should not be in the network etc. If list is dynamic, just manage it to stay dynamic. If you have some differences, just create several lists that will self contain them using action=add-src-to-address-list/add-dst-to-address-list.

Chupaka · June 15, 2010, 9:52am

I mean, the main purpose is NOT to write list changes on disk. router reboots => lists are clear => no access for users => BUT! management software fills in them quickly anyway

4-6 million disk writes in 225 days of uptime… is big enough number for me =)

janisk · June 15, 2010, 11:51am

adding dynamic does not change that. What i was saying you can already add dynamic entries using firewall filters. These do not generate disk writes.

Chupaka · June 15, 2010, 1:10pm

you mean, creating dynamic rules via, for example, command line should make disk writes? %)

yeah, you’re right. why do we need API at all, if we already have such a nice feature - firewall rules!..

Feklar · June 15, 2010, 4:59pm

I wouldn’t care if the list is dynamic or not, but having a timeout feature on certain things such as entries in an address lists would be very nice and useful to us. The main thing that comes to mind is blocking certain people of a specific amount of time. We actually redirect them to a page that lets them know they have been blocked for abuse.

Other areas that we would use a timeout feature would be the following:
1.) Hotspot bypasses for users that couldn’t make it through the login process for whatever reason and needed to be bypassed.
2.) Expiring Simple Queue’s that were made for the bypass.
3.) Expiring “Static” DHCP leases that were made for the bypass.

There are a few other things I that I can’t think off the top of my head.