hi all.
I need help with making script for my firewall.
I track all traffic on suspicios ports (for known viruses). If some client has some of those viruses, packet is dropped, and it’s IP address is entered to address-list named “virus”, for example:
;;; Drop Blaster Worm:
chain=virus protocol=tcp dst-port=445 action=add-src-to-address-list address-list=virus address-list-timeout=1w
chain=virus protocol=tcp dst-port=445 action=drop
This works fine. After such incident user is banned for 48h, by disabling its “accept” rule in “internet” chain. I would like to automatize this proccess. For example, let’s say IP 192.168.8.15 has virus:
How can I write script, which would read all addresses from address-list “virus”, and do any of the following:
- Disable rule
chain=internet src-address=192.168.8.15 action=accept
or
- Enter a new rule, put it on the top of the chain internet, and delete it after 48h.
chain=internet src-address=192.168.8.15 action=drop
Is any of above possible?
