So, Ive taken the fresh default config and added a couple of firewall rules, but they dont seem to work as expected. More specifically, Ive added a rule that should block anything coming in the input chain that is matched in the blocked-addr list.
Here’s the full input chain ruleset.
0 ;;; Drop weird packets
chain=input action=drop connection-state=invalid
1 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
2 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2w
3 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w
4 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2w
5 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=2w
6 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2w
7 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w
8 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w
9 ;;; IP with more than 100 active connections get added to block-list
chain=input action=add-src-to-address-list protocol=tcp address-list=blocked-addr address-list-timeout=1d connection-limit=100,32
10 ;;; If block-listed IP's connect, drop them,
chain=input action=drop src-address-list=blocked-addr
11 chain=input action=accept protocol=tcp connection-limit=200,32
12 D chain=input action=jump jump-target=hs-input hotspot=from-client
13 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
14 ;;; default configuration
chain=input action=accept protocol=icmp
15 ;;; default configuration
chain=input action=accept connection-state=established
16 ;;; default configuration
chain=input action=accept connection-state=related
17 ;;; default configuration
chain=input action=drop in-interface=sfp1-gateway
18 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway
Ive added a couple of IP’s (public WAN Ip’s, not internal on the network) to the blocked-addr list, but they can still access my websites and services, so rule number 10 here doesnt seem to work.
Anyone got any ideas?