Hi,
How can I configure RouterOS, to not automatically send RST/ACK to a remote host which is trying to connect to an closed port?
P.S.
I don’t want to use an additional drop rule in the firewall.
Thanks
Maybe you are looking for action=tarpit?
tarpit - captures and holds TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)
Hi,
I’m looking for a global RouterOS configuration something like this on FreeBSD (for TCP and UDP):
net.inet.tcp.blackhole=2
net.inet.tcp.blackhole defines what happens when a TCP packet is received on a closed port. When set to ‘1’, SYN packets arriving on a closed port will be dropped without a RST packet being sent back. When set to ‘2’, all packets arriving on a closed port are dropped without an RST being sent back. This saves both CPU time because packets don’t need to be processed as much, and outbound bandwidth as packets are not sent out.
net.inet.udp.blackhole=1
net.inet.udp.blackhole is similar to net.inet.tcp.blackhole in its function. As the UDP protocol does not have states like TCP, there is only a need for one choice when it comes to dropping UDP packets. When net.inet.udp.blackhole is set to ‘1’, all UDP packets arriving on a closed port will be dropped.
Cheers
Hi,
This does not emulate FreeBSD 100%, but you’re wanting action=drop instead of action=reject in your firewall filter rules. This will not send a RST in response to a closed port.
Tarpit does not send RST, it will silently drop the connection, when initiator would think that connection is actually open.
even more: it will send ACK =)
Can I post here an animation GIF?
People seems to not have enough patience to read an understand what is written
There is no such setting in Linux. It’s a FreeBSD setting. RouterOS is based on Linux, so it doesn’t have that option either. The closest thing is ‘drop’ in the firewall rules of iptables.
Test it by going to any Linux machine and running “sysctl -a | grep blackhole”, or digging through that filtered for “tcp”. There’s no such option.
Fair enough,
thanks