how i can build rule filter in forward chain to match ip src that try to connect to one port but different dst addres… if src try to stablish connection o same port on many diferrent hosts.. i need to log or add to address list..
it´s to identify users with worm using remote SMTP to send spam… and need to identify these clients…
example:
src ip 192.168.100.33 request 5 new connections to port 25 on differents dst address less tan 1 sec.. add this src addres to one address-list…
.. this rule
/ ip firewall filter
add action=add-src-to-address-list address-list=smtp-flood address-list-timeout=0s chain=forward comment="" connection-state=new \
connection-type="" disabled=no dst-limit=1,5,dst-address/1m40s dst-port=25 protocol=tcp src-address-list=client_ips
do this ?
thanks