ip service "address" functionality

doneware · May 16, 2017, 2:34pm

It would be nice to have this limitation function (allowing access to certain system functionality just from a specified list of IP addresses) to block incoming requests faster.

right now it allows the incoming connection to be built up (syn-syn/ack-ack) before sending a FIN and closing down the session if it doesn’t come from a legitimate address.

16:21:54.462039 IP 192.168.1.21.58403 > 7.7.7.7.22: Flags [S], seq 494066851, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 773240444 ecr 0,sackOK,eol], length 0
16:21:54.471825 IP 7.7.7.7.22 > 192.168.1.21.58403: Flags [S.], seq 3618698338, ack 494066852, win 14480, options [mss 1460,sackOK,TS val 1993609482 ecr 773240444,nop,wscale 4], length 0
16:21:54.471846 IP 192.168.1.21.58403 > 7.7.7.7.22: Flags [.], ack 1, win 4117, options [nop,nop,TS val 773240453 ecr 1993609482], length 0
16:21:54.473051 IP 192.168.1.21.58403 > 7.7.7.7.22: Flags [P.], seq 1:22, ack 1, win 4117, options [nop,nop,TS val 773240454 ecr 1993609482], length 21
16:21:54.481925 IP 7.7.7.7.22 > 192.168.1.21.58403: Flags [F.], seq 1, ack 1, win 905, options [nop,nop,TS val 1993609483 ecr 773240453], length 0
16:21:54.481961 IP 192.168.1.21.58403 > 7.7.7.7.22: Flags [.], ack 2, win 4117, options [nop,nop,TS val 773240462 ecr 1993609483], length 0
16:21:54.482860 IP 192.168.1.21.58403 > 7.7.7.7.22: Flags [F.], seq 22, ack 2, win 4117, options [nop,nop,TS val 773240462 ecr 1993609483], length 0
16:21:54.495842 IP 7.7.7.7.22 > 192.168.1.21.58403: Flags [R], seq 3618698340, win 0, length 0
16:21:54.495845 IP 7.7.7.7.22 > 192.168.1.21.58403: Flags [R], seq 3618698340, win 0, length 0

my approach would be to send a TCP RST right after receiving the SYN from illegitimate sources, like this:

16:16:46.497765 IP 192.168.1.21.58387 > 6.6.6.6.22: Flags [S], seq 1577754403, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 772937047 ecr 0,sackOK,eol], length 0
16:16:46.513133 IP 6.6.6.6.22 > 192.168.1.21.58387: Flags [R.], seq 0, ack 1577754404, win 0, length 0

also it would be nice to set “silent deny” mode, which is equivalent of dropping the illegitimate packet w/o ICMP unreachable or TCP RST. i know it is possible to do with the built in firewall, but if we have this handy knob here, why don’t make it more useful.
it could be just a set of dynamic (D) rules generated in the IP/IPv6 firewall’s input chain.

doneware · May 16, 2017, 2:36pm

on the other hand i might want to also enhance it with support for “ip firewall address-list” / “ipv6 firewall address-list” instead of a list of IP addresses.
many routerOS internals got DNS-aware in the last years, this story could take the same improvement too.

yuridee · February 23, 2019, 1:35pm

+1

ip/service available from “address-list”