Hi!
I have mikrotik between networks 10.0.0.0/24 and 192.168.0.0/24.
By using a firewall, I want to protect networks from scanning live hosts.
Computer from 10.0.0.0/24 subnet initiates scanning by ICMP to hosts in network 192.168.0.0/24.
When it sended 10 ICMP packets to random hosts - I want to block this PC by IP.
Please help to do it.
But how do you define “random hosts”… You can block the ICMP traffic, you can also limit it. In your case you could probably work with ranges of IP addresses. But again, what would be a “random host”…
I see around following design:
#Block scanner IP
chain=forward src-address-list=ScanBlocked action=Drop
#GoToScanCheck
chain=forward out-interface=eth2 protocol=ICMP action=jump jump-target=ScanCheckStage1
#Stage1
chain=ScanCheckStage1 dst-address-list=!dst_stage1 src-address-list=!src_stage1 action=add-src-to-address-list adress-list=src_stage1 address-list-timeout=1m
chain=ScanCheckStage1 dst-address-list=!dst_stage1 src-address-list=!src_stage1 action=add-dst-to-address-list adress-list=dst_stage1 address-list-timeout=1m
chain=ScanCheckStage1 dst-address-list=dst_stage1 src-address-list=src_stage1 action=jump jump-target=ScanCheckStage2
#Stage2
chain=ScanCheckStage2 dst-address-list=!dst_stage2 src-address-list=!src_stage2 action=add-src-to-address-list adress-list=src_stage2 address-list-timeout=1m
chain=ScanCheckStage2 dst-address-list=!dst_stage2 src-address-list=!src_stage2 action=add-dst-to-address-list adress-list=dst_stage2 address-list-timeout=1m
chain=ScanCheckStage2 dst-address-list=dst_stage2 src-address-list=src_stage2 action=jump jump-target=ScanCheckStageN
#LastStage
chain=ScanCheckStageN dst-address-list=!dst_stageN src-address-list=!src_stageN action=add-src-to-address-list adress-list=src_stageN address-list-timeout=1m
chain=ScanCheckStageN dst-address-list=!dst_stageN src-address-list=!src_stageN action=add-dst-to-address-list adress-list=dst_stageN address-list-timeout=1m
chain=ScanCheckStage2 dst-address-list=dst_stage2 src-address-list=src_stage2 action=add-src-to-address-list adress-list=ScanBlocked