Hello,
I took the following steps ;
Our customers are caught by the rules when transferring files via FTP ( 21 PORT )
Your screenshot suggests you have the rule on chain=forward instead of chain=input…
I want to do a port scan to the routera but not to the servers on the inside
in > /ip firewall filter > → add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w comment="Port scanners to list” disabled=no
This is correct! chain=input is for traffic going to the router itself.
This is incorrect! chain=forward is any traffic going to/from your clients! This why it is catching your clients.
I understand you
does not capture port scaners when set to input
I wonder where I am making a mistake
Do you have the FTP service enabled and on port 21 of the router? What other firewall rules do you have?
/ip firewall filter export
Your requirments are unclear.
- Are you running an FTP server on your network?
- Are clients attempting to run FTP servers on your network without permission?
- Are your clients attempting to connect to FTP servers on the WAN?
- What exactly are you trying to detect
- What are you trying to block.
FTP opens many connections (1 per file), you should make sure your PSD rules are not running if a connection is allowed. It’s also very questionable to do anything with PSD since you have no guarantees the IPs you are adding to your lists aren’t spoofed.