I was doing tests with the “add src to address list” option of firewall filter rules and I have seen that the timeout can be increased, but I can not decrease it.
Add to list dynamically IP with timeout 1 minute. Upon receiving a package that meets the requirements, in the TEST list I see how it added with 1 minute timeout..
Then I change the rule so that the timeout is 10 minutes. Upon receiving a package that meets the requirements, in the TEST list I see how it increases to 10 minutes.
Then I change the rule so that the timeout is 10 seconds. Upon receiving a package that meets the requirements, in the TEST list I do not see any timeout changes.
The rule adds to the list. If address is in the list already, the entry doesn’t get changed. If you want to have different behaviours, you’ll have to use more than one address list.
It totally makes sense.
When increasing the timeout you are still sure that the action for all previously met rules are still fulfilled.
If you allow to decrease the timeout, that will mean than one rule can cancel the one that was met previously.
.
I am not talking about TCP timeout. I am talking about Address list timeout.
.
.
It really is not like that. If an IP is in the list, and goes through a rule that increases the time in that list, it works.
What I really want is to be able to remove an IP from a dynamic list with some “port-knock” type system
A even simpler way is to add the “black listed” IP to a rule just before which “white list” it (accepts it)
It then can still run out in the black list but without any impact!