HELP Firewall Rules

IS0FFD · April 28, 2018, 8:32am

Hi all!
I’ve a CRS125 with this firewall rules

17    ;;; Port Scanner Detect
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w 

18    ;;; Drop to port scan list
      chain=input action=drop src-address-list=Port_Scanner

In my lan i’ve a RB750gr3 with Dude, but is continually inserted in the “Port_Scanner” list

How can I solve?

Anumrak · April 28, 2018, 9:37am

Extract Hex IP from list or deactivate the rule?

IS0FFD · April 28, 2018, 9:46am

I would like it if possible to make a white list with the addresses known to be excluded from the rule.

sorry but I’m trying to learn!

Anumrak · April 28, 2018, 10:08am

Try something like this:

chain=input action=drop src-address-list=Port_Scanner
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address=“IP of HEx”
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

or with a white list:

chain=input action=drop src-address-list=!White_List
chain=input action=accept protocol=tcp psd=21,3s,3,1 address-list=White_List

“=!” - mean not what you point on.

IS0FFD · April 28, 2018, 10:43am

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"

not work…

Anumrak · April 28, 2018, 11:21am

Try something like this:

chain=input action=drop src-address-list=Port_Scanner
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address=“IP of HEx”
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

or with a white list:

chain=input action=drop src-address-list=!White_List
chain=input action=accept protocol=tcp psd=21,3s,3,1 address-list=White_List

“=!” - mean not what you point on.
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
not work…

Sorry, but you assigned in src-address IP address of your Hex router or just words I wrote?

Anumrak · April 28, 2018, 11:32am

And I’m sorry for incorrect sequence:

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address=“IP of your Hex”
chain=input action=drop src-address-list=Port_Scanner
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

msatter · April 28, 2018, 1:34pm

Not…I mean you have to use not (!) so you need only one line.

add chain= input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 src-address=!"IP of your Hex" address-list=Port_Scanner address-list-timeout=1w

ingdaka · April 28, 2018, 3:06pm

I will suggest you an other thing, remove firewall roles from switch, because switches get more CPU usage form firewall roles!

anav · April 28, 2018, 3:23pm

Hi there, I do something very similar…
(I have two WAN IPs, otherwise I would have probably used in-interface WAN)
…

IP Filter
{Port Scans TCP make list}
   chain=input action=add-src-to-address-list protocol=tcp dst ports=23, 53,123,445,8291 in-interface list-WAN address-list=port_scans_tcp-timeout=2d
{Port Scans UDP make list}
   chain=input action=add-src-to-address-list protocol=tcp dst ports=23, 53,123,445,8291 in-interface list-WAN address-list=port_scans_udp-timeout=2d

Then I use RAW fule (not filters) and PRE-ROUTING to kill the list entries before they enter the router at all (no tracking etc…)
…

IP RAW
{Drop Scans TCP}
   chain=prerouting action=drop src-address-list=port_scans_tcp
{Drop Scans UDP}
   chain=prerouting action=drop src-address-list=port_scans_udp