I know these have already been created and updated but I can’t find them.
I need scripts to add Malware and Bogon IP filters on my routers and can’t find them.
Regarding the bogons part of the question:
I once had written a small PERL script to create a RouterOS script file. This created a firewall chain “bogons” which containes rules to drop packets from bogons.
I attach the script here. It was written for Windows (on Linux adjust the she-bang line to the PERL interpreter). It’s getting a current bogons list from http://www.completewhois.com and is outputting several files. Each is a complete one, the only difference is the amount of networks listed in the chain. There’s one result file including only /20 and bigger networks, one for /19 and bigger and so on. Down to one including all listed bogons, which creates about 7.400 rules today.
Take one (!) of the created scripts (depending on how large your filtering chain should get), put it on your router (FTP/SCP) and execute it as script there. This will erase any existing chain with the name “bogons”, recreate this as an empty chain and fill the rules in…
Please beware that this is still creating 2.8 RouterOS syntax, if I find time I’ll update it and put it into the WiKi.
#!c:/perl/bin/perl.exe
#################################################
## ##
## PERL script to create RouterOS commands for ##
## bogon filtering. ##
## ##
## (c) 2005 Christian Meis, info <at> cmit.de ##
## Version: 1.0 ##
## ##
#################################################
use LWP::Simple;
$ros_cmd_recreate_chain = ":foreach i in [/ip firewall rule bogons find] do={/ip firewall rule bogons remove \$i}\n/ip firewall remove [/ip firewall find name=bogons]\n/ip firewall add name=bogons comment=\"automatically created BOGON filter chain\"\n/ip firewall rule bogons\n";
$ros_cmd_jump_back = "add action=return\n";
# Get BOGON list from www.completewhois.com and save it locally...
$BOGON = get 'http://www.completewhois.com/bogons/data/bogons-cidr-all.txt';
open(BOGON,">bogons.dat");
print BOGON $BOGON;
close(BOGON);
if (-s "bogons.dat") {
# success getting the BOGON list - let's go on...
open(BOGON,"bogons.dat");
open(SCRIPT_ALL,">bogons-routeros-chain_all.rsc");
open(SCRIPT_16,">bogons-routeros-chain_16up.rsc");
open(SCRIPT_17,">bogons-routeros-chain_17up.rsc");
open(SCRIPT_18,">bogons-routeros-chain_18up.rsc");
open(SCRIPT_19,">bogons-routeros-chain_19up.rsc");
open(SCRIPT_20,">bogons-routeros-chain_20up.rsc");
# initial RouterOS commands to delete the "bogons" chain (if existent) and re-create it (empty)
print SCRIPT_ALL $ros_cmd_recreate_chain;
print SCRIPT_16 $ros_cmd_recreate_chain;
print SCRIPT_17 $ros_cmd_recreate_chain;
print SCRIPT_18 $ros_cmd_recreate_chain;
print SCRIPT_19 $ros_cmd_recreate_chain;
print SCRIPT_20 $ros_cmd_recreate_chain;
while ($netaddress = <BOGON>) {
chomp($netaddress);
if ($netaddress =~ /^[0-9]+.*\/([0-9]+)$/) { # row with netaddress - otherwise this was a comment or empty line
print SCRIPT_ALL "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n";
print SCRIPT_16 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 16);
print SCRIPT_17 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 17);
print SCRIPT_18 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 18);
print SCRIPT_19 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 19);
print SCRIPT_20 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 20);
}
}
# final RouterOS command to jump back from the bogons chain
print SCRIPT_ALL $ros_cmd_jump_back;
print SCRIPT_16 $ros_cmd_jump_back;
print SCRIPT_17 $ros_cmd_jump_back;
print SCRIPT_18 $ros_cmd_jump_back;
print SCRIPT_19 $ros_cmd_jump_back;
print SCRIPT_20 $ros_cmd_jump_back;
close(SCRIPT_ALL);
close(SCRIPT_16);
close(SCRIPT_17);
close(SCRIPT_18);
close(SCRIPT_19);
close(SCRIPT_20);
close(BOGON);
unlink "bogons.dat";
}
If someone needs it, this is also available as a stand-alone Windows executable file (for those not having PERL installed).
Best regards,
Christian Meis
Oh yeah, and for those you don’t know the word “bogon”: This is used to decribe unused address space on the internet. So traffic with source (or destination) addresses from those address ranges cannot be legitimate traffic and get’s filtered out by (sadly not all, but many) ISPs.
See also Wikipedia
Best regards,
Christian Meis
Here is my script that takes a BGP bogon feed and turns it into an address-list:
## Builds an address list with bogons based on the
## learned bgp routes which have the specific routing-mark.
:log info "Removing all BOGONS, starting sync."
:foreach subnet in [/ip firewall address-list find list=bogons] do {
/ip firewall address-list remove $subnet
}
:foreach subnet in [/ip route find routing-mark=bogons] do {
:set bogon [/ip route get $subnet dst-address]
:log info ("Found " . $bogon . " as bogon entry.")
/ip firewall address-list add list=bogons address=$bogon
}
Here is my current chain if you just want to copy and paste it:
/ ip firewall address-list
add list=bogons address=1.0.0.0/8 comment="" disabled=no
add list=bogons address=2.0.0.0/8 comment="" disabled=no
add list=bogons address=5.0.0.0/8 comment="" disabled=no
add list=bogons address=7.0.0.0/8 comment="" disabled=no
add list=bogons address=10.0.0.0/8 comment="" disabled=no
add list=bogons address=23.0.0.0/8 comment="" disabled=no
add list=bogons address=27.0.0.0/8 comment="" disabled=no
add list=bogons address=31.0.0.0/8 comment="" disabled=no
add list=bogons address=36.0.0.0/8 comment="" disabled=no
add list=bogons address=37.0.0.0/8 comment="" disabled=no
add list=bogons address=39.0.0.0/8 comment="" disabled=no
add list=bogons address=42.0.0.0/8 comment="" disabled=no
add list=bogons address=49.0.0.0/8 comment="" disabled=no
add list=bogons address=50.0.0.0/8 comment="" disabled=no
add list=bogons address=77.0.0.0/8 comment="" disabled=no
add list=bogons address=78.0.0.0/8 comment="" disabled=no
add list=bogons address=79.0.0.0/8 comment="" disabled=no
add list=bogons address=92.0.0.0/8 comment="" disabled=no
add list=bogons address=93.0.0.0/8 comment="" disabled=no
add list=bogons address=94.0.0.0/8 comment="" disabled=no
add list=bogons address=95.0.0.0/8 comment="" disabled=no
add list=bogons address=96.0.0.0/8 comment="" disabled=no
add list=bogons address=97.0.0.0/8 comment="" disabled=no
add list=bogons address=98.0.0.0/8 comment="" disabled=no
add list=bogons address=99.0.0.0/8 comment="" disabled=no
add list=bogons address=100.0.0.0/8 comment="" disabled=no
add list=bogons address=101.0.0.0/8 comment="" disabled=no
add list=bogons address=102.0.0.0/8 comment="" disabled=no
add list=bogons address=103.0.0.0/8 comment="" disabled=no
add list=bogons address=104.0.0.0/8 comment="" disabled=no
add list=bogons address=105.0.0.0/8 comment="" disabled=no
add list=bogons address=106.0.0.0/8 comment="" disabled=no
add list=bogons address=107.0.0.0/8 comment="" disabled=no
add list=bogons address=108.0.0.0/8 comment="" disabled=no
add list=bogons address=109.0.0.0/8 comment="" disabled=no
add list=bogons address=110.0.0.0/8 comment="" disabled=no
add list=bogons address=111.0.0.0/8 comment="" disabled=no
add list=bogons address=112.0.0.0/8 comment="" disabled=no
add list=bogons address=113.0.0.0/8 comment="" disabled=no
add list=bogons address=114.0.0.0/8 comment="" disabled=no
add list=bogons address=115.0.0.0/8 comment="" disabled=no
add list=bogons address=116.0.0.0/8 comment="" disabled=no
add list=bogons address=117.0.0.0/8 comment="" disabled=no
add list=bogons address=118.0.0.0/8 comment="" disabled=no
add list=bogons address=119.0.0.0/8 comment="" disabled=no
add list=bogons address=120.0.0.0/8 comment="" disabled=no
add list=bogons address=121.0.0.0/8 comment="" disabled=no
add list=bogons address=122.0.0.0/8 comment="" disabled=no
add list=bogons address=123.0.0.0/8 comment="" disabled=no
add list=bogons address=169.254.0.0/16 comment="" disabled=no
add list=bogons address=172.16.0.0/12 comment="" disabled=no
add list=bogons address=173.0.0.0/8 comment="" disabled=no
add list=bogons address=174.0.0.0/8 comment="" disabled=no
add list=bogons address=175.0.0.0/8 comment="" disabled=no
add list=bogons address=176.0.0.0/8 comment="" disabled=no
add list=bogons address=177.0.0.0/8 comment="" disabled=no
add list=bogons address=178.0.0.0/8 comment="" disabled=no
add list=bogons address=179.0.0.0/8 comment="" disabled=no
add list=bogons address=180.0.0.0/8 comment="" disabled=no
add list=bogons address=181.0.0.0/8 comment="" disabled=no
add list=bogons address=182.0.0.0/8 comment="" disabled=no
add list=bogons address=183.0.0.0/8 comment="" disabled=no
add list=bogons address=184.0.0.0/8 comment="" disabled=no
add list=bogons address=185.0.0.0/8 comment="" disabled=no
add list=bogons address=186.0.0.0/8 comment="" disabled=no
add list=bogons address=187.0.0.0/8 comment="" disabled=no
add list=bogons address=192.0.2.0/24 comment="" disabled=no
add list=bogons address=192.168.0.0/16 comment="" disabled=no
add list=bogons address=197.0.0.0/8 comment="" disabled=no
add list=bogons address=198.18.0.0/15 comment="" disabled=no
add list=bogons address=223.0.0.0/8 comment="" disabled=no
Cymru provides a BGP feed to us that we then filter with a routing-mark, and then based on that list we generate the address-list… runs nightly to keep them up to date automatically.
Sam
is this info added to the wiki? 
Just did my first one:
http://wiki.mikrotik.com/wiki/Generate_bogons_firewall_chain_based_on_routing-marks
Sam
thanks, that’s great! one side note: we are usually not sigining the pages as it is all written in the history page.