filter rule difference?

RouterOS General
1

Can you please tell me the difference between these firewall rules? Will both of them work? Do I get the same result with both of them?

add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w chain=forward connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3

add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=forward connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2

add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=forward connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1

add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=forward connection-state=new dst-port=22 protocol=tcp




add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w chain=forward connection-state=new dst-limit=1/1m,3,dst-address/1m dst-port=22 protocol=tcp
2

Good question for MTCTCE test pool :smiley:

AFAIK both will do basically the same BUT last rule will use dst-address as criteria, to do the same it should use src-address as criteria.

3

I think only it’s counting is based on dst-address, so ‘ignore the first three packets, let the fourth pass and count every other packet that arrives in the same minute to the same dst-address’

The first rule set will count all new connections to all dst-addresses together?

Is that correct?


Which rule is recommended?

4

I think only it’s counting is based on dst-address, so ‘ignore the first three packets, let the fourth pass and count every other packet that arrives in the same minute to the same dst-address’

Yes, problem is what you want to control to add to address-list is src-address, to block typical ssh brute-force default-password guessing, where a certain IP starts trying and trying passwords; with dst-address as classifier this could happen (supose all of them are trying to reach 10.10.10.10:22

host 1.1.1.1 opens 10.10.10.10 tcp port 22 (count 1)
host 2.2.2.2 opens 10.10.10.10 tcp port 22 (count 2)
host 3.3.3.3 opens 10.10.10.10 tcp port 22 (count 3)
host 4.4.4.4 opens 10.10.10.10 tcp port 22 (count 4)
host 5.5.5.5 opens 10.10.10.10 tcp port 22 (count 5)
host 6.6.6.6 opens 10.10.10.10 tcp port 22 (count 6)

5.5.5.5 and 6.6.6.6 would be added to the address-list even if thats their first connection attempt and they were “legit” users.

The first rule set will count all new connections to all dst-addresses together?

yes. and the second would achieve the same if dst-limit by src-address.

Regarding what’s recommended, why use four rules and four address lists if the same can be achieved with just one?

5

Thank you very much for pointing me to this problem :slight_smile:

I noticed that it is possible to limit by src and dst-address. This would only count too much connection attempts to the same dst-address, but would not work if the attacker is changing dst-addresses all the time, right?

6

That would match when the same source ip connects to the same destination ip, keep in mind you’re using the forward chain, i.e. matching on connections traversing the router. suppose you have two systems behind the router, 10.10.10.10 and 10.10.10.11. Now lets suppose the host trying to brute-force is 1.1.1.1

If we were classifying by src and dst address, 1.1.1.1 will get added on its fifth new connection to 10.10.10.10 OR its fifth new connection to 10.10.10.11, but not if it first tries 10.10.10.10 four times, then tries 10.10.10.11 another four times, because is the src-address/dst-address tuple what is used as criteria.

That rule is more useful if set on a custom chain, then early in your input and forward chains you jump to the custom one for connections to port tcp/22.

If you use just src-address, it will get blacklisted on its first “try”, be either the router itself or host A, B, C or D behind it; it will be added to the address list.

If you are using that address-list for blocking both on input and forward, it won’t have a chance to keep trying passwords on any systems, be it your router or systems behind your router as it would be already blacklisted.