I have following config on MT that i don’t understand entirely:
/ip firewall filter
add action=add-src-to-address-list address-list=ExternalWebProxyUserAccess
address-list-timeout=4d3h chain=input comment=“for outside packets to 8080
, add address to list, log, block all future access from that address
, 3 rules” disabled=no dst-port=8080 in-interface=WAN protocol=
tcp
add action=drop chain=forward comment=“Deny access to proxy from Internet”
disabled=no dst-port=8080 in-interface=WAN protocol=tcp
add action=drop chain=input comment=“Deny access to proxy from Internet”
disabled=no dst-port=8080 in-interface=WAN protocol=tcp
add action=drop chain=input comment=“” disabled=no in-interface=WAN
src-address-list=ExternalWebProxyUserAccess
As I understand
first one add outside IP to list from input chain
second one not sure
third one drop that connection in input chain
forth one drop any connection from list
Why all this?
Isn’t it enough something like this:
add action=drop chain=input comment=“Deny access to proxy from Internet”
disabled=no dst-port=8080 in-interface=WAN protocol=tcp
But usually, scanners try different ports; they try not only 8080 but all “standard” ports (80,443,125,5060,53, etc). So you have a chance that the same people/bot try to scan all your ports. This is where blocking all traffic from the “banned IP” makes sense.
Thanks, that make sense, but if this is a goal, why not drop all packets from this addres in the future, not only on input chain?
Something like this:
/ip firewall filter
add action=add-src-to-address-list address-list=ExternalWebProxyUserAccess
address-list-timeout=4d3h chain=input comment=“for outside packets to 8080
, add address to list, log, block all future access from that address
, 3 rules” disabled=no dst-port=8080 in-interface=WAN protocol=
tcp
And why rule no 3? Rule 4 will drop any packet regardles of port (we already added that IP to list in rule 1).
Why IP is added to list only on input chain? Why not on forward chian to? Rule 2 drop packets from internet to 8080 passing thru forward chain, but there is no rule to add that IP to the list.
Because when you get hit by a scan, the target is “your” IP. There is no forwarding/routing involved, the packets are directly for your machine, therefore the input chain.
I’d actually take this kind of config one step further (but I don’t know MT well enough to give a specific configuration).
I’d have specific allows from outside to wan IP for services I’m publishing internally, and then I’d have a deny all rule with some kind of hitcounter per specific IP.
If an IP does a portscan (ie, triggers the deny all more than say 10 times in a couple of seconds) then it gets added to a “bad IP” list, which, right near the top of the rule set, does a discard all from that IP. So chances are pretty good they’ll never actually find your open ports, and even if they do, they’ll get blocked off from them pretty quickly…
