Run a script if a firewall rule is triggered

Dear all,
I am looking for a way to run a script if a firewall rule is triggered and pass the source IP that triggered the rule to the script.
I guess I could add the IP to a fw address list and regularly scan the address list by a scheduled script, but I am wondering if the gurus here know a more elegant/simpler way.
Thanks in advance!

Yeah, mee too interested to know

Unfortunately, no other solution than the one you’ve found out yourself is currently available. I miss a script to be linked to a change of an address-list too. Just beware, scripts can still see dynamic items of address lists for about 5 seconds after they time out.

Why would you a function like this? I do ask, since If I do now the reason, I may see another way to solve this.
I do use Splunk to do handle stuff that I need to monitor.

Not a simle solution to solve this, but if you like to add an ip to an access list, and drop it.

# Send packet to chain "Demo" of its tcp/23
add action=jump chain=input dst-port=23 jump-target=Demo protocol=tcp
# In chain "Demo" add src address to address list "test_list"
add action=add-src-to-address-list address-list=test_list address-list-timeout=none-dynamic chain=Demo
# In chain "Demo" drop the packets
add action=drop chain=Demo

This script will print out all new address added to the list. Other stuff could be done as well.

global counter
if ([:len $counter] = 0) do={set counter -1}
local test -1
foreach i in=[/ip firewall address-list find where list="test_list"] do={
	set test ($test +1)
	:if ($test>$counter) do={
		:put [/ip firewall address-list get $i address]
	}
}
set counter $test

Whenever you MacGyver, i.e. use the Mikrotik as a standalone solution for a specific case. My examples:

• a customer wants to be alerted about a specific fault of some other equipment by flashes and whistles. OK, so you buy a signal tower from a renowned company which declares it can signal inactivity on an incoming TCP connection (so if that remote device stops sending packets periodically through that connection, it triggers the alert notification). And when that hi-tech thing arrives, you find out that once that TCP connection fails, a new one is rejected until you reboot the signal tower. The manufacturer refuses to provide a patch. So the solution is to find something small, undemanding on power requirements, capable to drive 24 V DC LEDs, with a case which can cover how the cable from the signal tower is terminated on multiple Ethernet connectors… the answer is Mikrotik Powerbox. And you need to monitor the other equipment (by watching its keepalives) but also a twin Powerbox & signal tower, to eliminate a SPOF in the monitoring part. So the monitored equipment must be actively pinging both the Tiks, and the Tiks must be pinging each other, and you monitor all this by adding dynamic items to address-list and starting to flash the lights once the items disappear.
• a less exotic one, you want to check that some particular traffic exists on the right WAN interface, and if it doesn’t, do something - send an alert, power-cycle a LTE modem…
• it is a nightmare to calculate e.g. “2 hours 3 minutes 9 seconds from now” with the datetime format in ROS scripting, so it is much easier to create an address list item with this lifetime, and link the next action to expiration of this item (or, in another words, to the whole address-list becoming empty).

@Jotne, good idea!
One can also detect changes in the address list by extending this script with such a logic:
for example doing a simple CRC-like summing over all important fields of all records and storing that in a global var…

I did make a script over here I did it! Script to compute UNIX time! - #9 by Jotne that convert time to epoch.

My hope is that MT make this as a built inn function to calculate time difference.

Here is the support reply to my question about ising ISO 8601 time format.

Thank you for the suggestion. I agree that the ISO 8601 makes sense and is understandable. I will report it as a feature request, but since it could affect many components, I can’t promise if it will be implemented any time soon.
xxx

My application is quite simple: I grant access to certain services based on port knocking. Being well aware that this is not very secure, I want to monitor this, whereas I am only interested in new IPs that sucessfully authenticated via port knocking. This is easy to do by a couple of firewall rules like these:

/ip firewall filter
add action=add-src-to-address-list address-list=Port-Knock-1 address-list-timeout=1s chain=input  dst-port=3 protocol=tcp
add action=add-src-to-address-list address-list=Port-Knock-2 address-list-timeout=1s chain=input dst-port=5 protocol=tcp src-address-list=Port-Knock-1
add action=add-src-to-address-list address-list=Port-Knock-Safe address-list-timeout=2h chain=input dst-port=4 protocol=tcp src-address-list=Port-Knock-2
add action=drop chain=input  dst-port=3 protocol=tcp  src-address-list=Port-Knock-Seen
add action=add-src-to-address-list address-list=Port-Knock-Seen address-list-timeout=none-dynamic chain=input dst-port=3 log=yes log-prefix="LOGALERT " protocol=tcp src-address-list=Port-Knock-2

I can now regularly run a script to check the log for LOGALERT and notify me by email, Telegram, or whatever. But I hoped for a simpler solution where I could directly trigger a script from the fw rule.

Not a simple solution, but I do monitor lots of stuff using Splunk (see my signature)
There is a specific view that show all filter rule action, so can see what is going on,

I do log my last port of chain in port-knock to Splunk, so can see who enters. So far its only me, since no automatic script tries to enter in correct order within time limit.

And I also have a strict policy, if you try to knock or test a port that is not open, block IP for 24 hours.
This way its very hard to enter my router with just trying scripted or manual.
This prevents also attack on my other ports, since many of the tester are scripts that when find one open port (eks 80), will try lots of stuff to enter.
My access list for blocked intruders do vary from 2000 to 15000 unique ip at any time.

address-list-timeout=none-dynamic

I do not give any permanent access. Just 1day. If I need permanent access, I add IP manually to the white list.

Isn’t the other option to get Mikrotik to create another firewall action to run a script?

Charles

Item 3 of yours would probably be the simplest to implement.

Have a schedule to check your list once every 5 minutes to see if it’s empty. If it’s empty, trigger your job, and set a variable. Set a timer for 5 minutes to reset the variable, and then re-loop.

For your firewall rule that adds the addresses to the list, have it set for a 5m15s to 6m timeout, so that there’s a bit of overlap between it and your list checker script schedule.

I need a script that does the following.

I have a Disney Circle on my LAN Side. The main purpose is allow my wife to control the kids Internet when needed via the app. What happens if the kids unplugged and shutoff the Circle. Full access to the Internet.

So, I am thinking a simple script that pings the Circle on the LAN side. If it does not respond, insert a firewall rule to block all Internet.

I figure I can run it every 15 minutes. No response, insert blocking rule. If it starts responding, take the rule out?

Thoughts?

Here was my solution to this. May not be elegant, but it serves my purpose. In my case, I wanted to trigger a script that would send Wake On Lan packets to one of two computer based on the last step of a port knock sequence. So what I did was set up the last port knock step to write a log entry. Then there is a script that reads the log looking for the log entry. If it finds the log entry, it send the WoL packets to whichever computer is specified. The script runs every minute.