Hello,
I would like to use the block list from openbl.org to block unwanted access to my router. I have already imported the blacklist but I do not know if the rules below are correct to block the IP addresses from the black list:
add chain=forward action=drop src-address-list=blacklist in-interface=all-ethernet
add chain=forward action=drop dst-address-list=blacklist in-interface=all-ethernet
Thank you in advance.
logically in “forward” ppl tend to blacklist “source” lists, not destination. thats (if you like to)for “output” chain, not “forward”.
fors tart try forcus on input and forward chains and put in “source” adress lsit, not destination.
Use the RAW for this. It allows the router to block before a connection is processed. Lightens the load on the router.
you can use the blacklist update script here: http://forum.mikrotik.com/t/blacklist-filter-update-script/89817/1
That will get you a current blocklist that includes the openbl.org list
Could you please give me this RAW rule to block the IP from the list before the connection is established?
Is it possible to store the block list on the usb pendrive to avoid to many writes on the flash?
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 src-address-list=dynamicBlacklist
The dynamicBlacklist list that I posted does not write the list to the NAND. The dynamic rules are stored in memory.
If you want the initial download to go to the USB flash, you will need to adjust the script and include the file path.
From what lists you create your dynamicBlacklist?
Lists are built from 5 publically available lists as well as data that my routers and servers have collected.
But first the file “dynamic.rsc” is being saved into the nand.
yes it is. currently unavoidable. But one large write is much better than several thousand small ones.
When you want a dynamic blacklist containing only single IP addresses (not subnets), on RouterOS 6.36 and later,
you can put the addresses in some DNS server you can manage and add an address list that has the corresponding
DNS name. I have tried with about 2000 addresses and it works OK: the MikroTik resolves the DNS name, finds
there are too many results for UDP, re-tries in TCP mode (so your DNS server has to support that!) and retrieves
all the 2000 addresses and puts them in the address list. And the DNS query is automatically re-run every time
the TTL of the DNS record ticks to zero.
So, no more need for scripts, you can configure many routers like this and only need to maintain the list in the
DNS server, with a TTL appropriate for the frequency at which you do the updates.
Unfortunately this only works for single addresses, because you cannot put subnets in DNS. Maybe a nice
enhancement would be when MikroTik also resolves TXT records and recognizes a.b.c.d/e strings to create
subnets in the address list.
As I said.. Unavoidable. More than half the list is subnets. expanding it to single IP’s would make the list unrealistic. Also, with DNS, I have no data from the client, so I have no idea what OS or amount of memory. Those are used to tailor the list. At some points of the month, the full list can grown to over 10k addresses. (Bases on 3, 7, 15 and 30 day status) The low memory boxes will get a smaller list, while the unites with 1G+ will get the full 30 days.
The memory size problem can be worked around by having more than one DNS name resolving to lists of several sizes.
The particular name to resolve would be dependent on the router type.
Of course not being able to block subnets this way is the real problem. It could be solved by using TXT records.
In general, I like this way of fetching address lists into various routers.