iam8up
December 9, 2007, 6:43pm
1
I’ve made these two filter rules:
add chain=input action=drop in-interface="wan - integ" \
src-address-list=blocked-input comment="blockednoobs - addresslist" \
disabled=no
add chain=forward action=drop in-interface="wan - integ" \
src-address-list=blocked-fwrd comment="blockednoobs - addresslist" \
disabled=no
Then added one IP address to the both of them. The forward filter rule worked as expected, however, the input rule didn’t take effect. I did have this IP address in an “admins” allowed input address-list/filter rule but I disabled it to confirm it wasn’t causing my unexpected result.
Does anyone know what is wrong here?
gmsmstr
December 10, 2007, 2:21am
2
would need more information, maybe post the entire firewall rule list.
Keep in mind that the input rule is used for packets ENDING on the router, vs the forward for packets going though the router.
iam8up
December 11, 2007, 1:03am
3
Here ya go!
/ ip firewall filter
add chain=forward action=drop dst-port=25 protocol=tcp \
src-address-list=spammer comment="block smtp on spammer list" disabled=no
add chain=forward action=add-src-to-address-list dst-port=25 protocol=tcp \
connection-limit=30,32 limit=50,5 address-list=spammer \
address-list-timeout=1d comment="Detect and add-list SMTP virus or \
spammers" disabled=no
add chain=input action=drop in-interface="wan - integ" dst-port=53 \
protocol=udp comment="drop incoming dns queries" disabled=no
add chain=input action=accept protocol=icmp limit=50/5s,2 comment="Allow \
limited pings" disabled=no
add chain=input action=drop protocol=icmp comment="Drop excess pings" \
disabled=no
add chain=forward action=drop src-address-list=Port_Scanners comment="Drop \
packets from port scanners" disabled=no
add chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 \
address-list="port scanners" address-list-timeout=2w comment="PORT \
scanners to list " disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port \
scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" \
disabled=no
add chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp \
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN \
scan" disabled=no
add chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp \
address-list="port scanners" address-list-timeout=2w comment="SYN/RST \
scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list="port \
scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list="port \
scanners" address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input action=add-src-to-address-list \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list="port \
scanners" address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input action=accept src-address-list=Admins comment="Accept traffic \
from admins addy list" disabled=no
add chain=forward action=accept src-address-list=Admins-fwrd comment="forward \
traffic from admins-fwrd addy list" disabled=no
add chain=input action=drop in-interface="wan - integ" \
src-address-list=blocked-input comment="blockednoobs - addresslist" \
disabled=no
add chain=forward action=drop in-interface="wan - integ" \
src-address-list=blocked-fwrd comment="blockednoobs - addresslist" \
disabled=no
add chain=input action=drop src-address-list="port scanners" comment="dropping \
port scanners" disabled=no
add chain=input action=drop connection-state=invalid comment="Drop invalid \
connection packets" disabled=no
add chain=input action=accept connection-state=established comment="allow \
established connections" disabled=no
add chain=input action=accept connection-state=related comment="allow related \
connections" disabled=no
add chain=forward action=accept src-address=97.89.14.102 comment="accept all \
traffic from src" disabled=yes
add chain=forward action=accept dst-address=97.89.14.102 comment="accept all \
traffic to dst" disabled=yes
iam8up
December 12, 2007, 9:39pm
4
Any ideas why my address list isn’t taking effect with the first rule?