Hello everyone,
Does anyone have any experience with large block lists?
I am running an email server and get hit with brute force password attacks from IPs that are commonly found in blacklists.
Although the server features and is set up for automatic lockout of IPs that do multiple attempts at passwords, i would like to move this to firewall.
Does anyone have any experience in what kind of a hit on performance a 11k line blacklist makes to the router? The router is a RB3011.
regards
11K should be fine. I have 4,000 on an RB3011 and its no trouble. Use RAW rules something like this:
/ip firewall raw
add action=drop chain=prerouting disabled=yes in-interface=ether1 src-address-list=PortScanners
add action=add-src-to-address-list address-list=PortScanners address-list-timeout=2w chain=prerouting disabled=yes dst-port=10,25,333 in-interface=ether1 protocol=udp src-address-list=!WinboxAllow
add action=add-src-to-address-list address-list=PortScanners address-list-timeout=2w chain=prerouting disabled=yes dst-port=10,25,333 in-interface=ether1 protocol=tcp src-address-list=!WinboxAllow
Just try it out and used the following example.RSC file to import your IP list:
:global i do={ /ip firewall address-list add list=blacklist-email timeout=35w3d13:13:56 address="$a" }
:do { /ip firewall address-list remove [find where list=blacklist-email] } on-error={}
$i a=x.x.x.x
$i a=x.x.x.x
$i a=x.x.x.x
.
.
.
$i a=x.x.x.x
$i a=x.x.x.x
$i a=x.x.x.x
This will import the ip address (represented by x.x.x.x) very efficiently.
Ok, thank you, i see that you both use address list timeouts.
Im i correct in understanding that this is so IPs that never get detected in the list get removed?
Also i see pre routing is used instead of input, this is to save routing overhead of CPU right?
Timeouts are used so that config doesn’t get written to NV storage. Neither this part consumes space in exported config.
Pre-routing is used so that these connections get dropped for both input and forward … and they get dropped as soon as possible.
If I can, I suggest a change.
:global listname "blacklist-email"
:global i do={
:global listname
/ip firewall address-list
:if ( ([:len [find where list="$listname" and address="$1"]] = 0) and ([:typeof [[:parse ":return $1"]] ] ~ "(ip|ip-prefix)") ) do={
add address="$1" list="$listname" timeout=35w
}
}
/ip firewall address-list remove [find where list="$listname"]
$i x.x.x.x
$i x.x.x.x
.
.
.
$i x.x.x.x
$i x.x.x.x
@rextended you are on my ignore list so I don’t read your postings anymore. Really sad that I had to resort to that.
So with no explanation and no reason?
Of course there are really idiotic people in the world…
For me the dawn will continue to be there tomorrow,
even for you,
but you will miss a star in the firmament of the night that writes the history of this world.
thanks for the stock tip in this thread rextended. I made $100,000 Euros! Too bad msatter missed out. 
Okay this thread is similar to another one rextended where you were adamant not to pull third party sites into a script etc etc.
How is this one different? Its not clear to me where the black list is coming from? What did I miss?
Is for self-made blacklist.
having already a file with all ip inside, add the script on the top
and on front of each ip put "$i "
then save the file as .rsc and import it.
To be precise, there is no problem in importing blacklists from sites, reading the file and following an internal import script,
but about the problem of “IMPORT SCRIPT WITH ROUTEROS COMMANDS” inside, instead of just IP
-TX-
If you see this… is a revolution… 
http://forum.mikrotik.com/t/how-to-download-only-one-piece-of-file-at-a-time-with-tool-fetch-and-put-it-inside-a-variable/151020/1
Excellent example why I put you on my ignore list or how it is called here I go a foe.
I really hope you will be banned here soon!!!
msatter no need to get nasty, and besides, Netherlands will be under water before volcanoes destroy Italy so you just may be looking for a home soon.
Dont cut off your options!!!
Personally I have grown fond of italien poetry in broken english, almost romantic.
How could anyone not eat up and smile when the Italian high jumper tickled the ears of the newly crowned 100 metre champion at the olympics.
They are different but in a good way LOL.
PS, Your ignore list doesnt work very well. I am sure rextended has a script for you that will work.
We are sending truckloads of Euro’s to Italy despite they are richer than we are in the Netherlands. We are buying that country without owning it after sending all our money.
@green-gelid You can also add “no Money” to your signature 
The ignore function works very well here. If you want to read a ingnored posting, it depends on which one of the two fingers you use for the screen.
@rextended --- I tried your code on a test file have 50 thousand IP address entries and found that @msatter code was dramatically faster to process .... approximately 4 times faster than your code. Also FYI, your code generates the following error condition
failure: empty list name not allowed
Did you try your code out on a test file before publishing your code here? May I suggest that you give it a try and compare your code to @msatter code ... see for yourself 
The only way to obtain the error “failure: empty list name not allowed” is if you do not set list name, is your fault.
The script is more slow because check every ip or ip-prefix is valid before try to insert on address-list.
On this way the script do not stop if one ip or ip-prefix are wrong, simply “skip”.
On the other “faster” script, if are some error, the script stop execution and do not finish the import.
Probably is faster for that reason…