Blacklist Port scanners still allowing traffic to NAT rule

silversword · December 24, 2020, 11:46am

I’m trying to blacklist any port scanners. I identify and put into an addresslist with:

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Add port scanners to list " log=yes log-prefix=\
    "Portscan: " protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Blacklist port scanner traffic" in-interface=ether1-gateway src-address-list="port scanners"

These are rules 1 and 2

Yet when I test, those on the blacklist can still access my NAT ruled items eg:

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=host_publicIP dst-address-type=local \
    dst-port=80 protocol=tcp to-addresses=10.0.8.181 to-ports=80

I know I can add to the NAT rule a

src-address-list="!xPort scanners"

that will stop them on that single rule but then I have to make sure it’s on every NAT rule I have. Is there another/better way to make sure if you are on the address list you are dead to me no matter what?

BartoszP · December 24, 2020, 12:01pm

Use raw filters

silversword · December 24, 2020, 12:34pm

Perfect, thx!

For those following in my footsteps (I think I’ve thought this thru and made sure I don’t blacklist myself in case I scan the firewall from internal IP’s) all you need is:

/ip firewall filter
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="Add port scanners to list " in-interface=ether1-gateway log=yes log-prefix="Portscan: " \
    protocol=tcp psd=21,3s,3,1
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1-gateway src-address-list="Port scanners"