Rules against scanners

OKNET · May 26, 2026, 4:31pm

I found a cfg with this set of rules against port scanners:

add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="PS list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="NMAP FIN Stealth" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="SYN/FIN" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="SYN/RST" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="FIN/PSH/URG" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="ALL/ALL" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="scan" address-list-timeout=1w chain=input comment="NMAP NULL" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping scan" src-address-list="scan"

Is it a useful/efficient/ way other than basic firewall rules set ?

BartoszP · May 26, 2026, 4:54pm

If only you drop packets from that address list in firewall raw section to not be processed further. It wouldn't stop attackers and your WAN link still would be saturated with the stream of these packets.

rextended · May 26, 2026, 5:14pm

Since the default firewall already protects against these things, they're useless.

If you need to open specific ports, why bother?

infabo · May 26, 2026, 6:37pm

Most efficient is anav's "input drop all" rule.

mkx · May 27, 2026, 4:46pm

I can see only single good thing about collecting addresses of remote devices doing funky things: one can block traffic from those remote devices also for otherwise allowed services.

E.g. if one is hosting web server and hence traffic with dst-port=443 is in principle allowed, one can still block access to this service from some particular clients.

But even this kind of defense has limited use ... because attacker might skip those (useless) scanning techniques and go directly for the open service.

rextended · May 27, 2026, 4:56pm

Until the router crashes because it runs out of memory...
Already written hundreds of times...

optio · May 27, 2026, 5:16pm

Some “watchdog” scheduled script can be made to watch count of such list and remove addresses by oldest sort (shorter exp. timeout) from list when reaches some defined threshold count, but still if port scan is performed from very large address pool in short period list can grow much above threshold in such short period before next scheduled event, not sure how much this case is probable unless router is targeted for such ddos.

I have such rules, usually there are 3-5 addresses added to list per day, mostly because I watch streams over torrent and then my public IP is avaiable to trackers and peers and that is good source for finding active IPs for attackers.