Page 1 of 1

HELP Firewall Rules

Posted: Sat Apr 28, 2018 11:32 am
by IS0FFD
Hi all!
I've a CRS125 with this firewall rules
17    ;;; Port Scanner Detect
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w 

18    ;;; Drop to port scan list
      chain=input action=drop src-address-list=Port_Scanner 

In my lan i've a RB750gr3 with Dude, but is continually inserted in the "Port_Scanner" list

How can I solve?

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 12:37 pm
by Anumrak
Extract Hex IP from list or deactivate the rule?

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 12:46 pm
by IS0FFD
Extract Hex IP from list or deactivate the rule?
I would like it if possible to make a white list with the addresses known to be excluded from the rule.


sorry but I'm trying to learn!

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 1:08 pm
by Anumrak
Extract Hex IP from list or deactivate the rule?
I would like it if possible to make a white list with the addresses known to be excluded from the rule.


sorry but I'm trying to learn!
Try something like this:

chain=input action=drop src-address-list=Port_Scanner
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

or with a white list:

chain=input action=drop src-address-list=!White_List
chain=input action=accept protocol=tcp psd=21,3s,3,1 address-list=White_List

"=!" - mean not what you point on.

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 1:43 pm
by IS0FFD

Try something like this:

chain=input action=drop src-address-list=Port_Scanner
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

or with a white list:

chain=input action=drop src-address-list=!White_List
chain=input action=accept protocol=tcp psd=21,3s,3,1 address-list=White_List

"=!" - mean not what you point on.

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
not work...

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 2:21 pm
by Anumrak

Try something like this:

chain=input action=drop src-address-list=Port_Scanner
chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

or with a white list:

chain=input action=drop src-address-list=!White_List
chain=input action=accept protocol=tcp psd=21,3s,3,1 address-list=White_List

"=!" - mean not what you point on.

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of HEx"
not work...
Sorry, but you assigned in src-address IP address of your Hex router or just words I wrote?

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 2:32 pm
by Anumrak
And I'm sorry for incorrect sequence:

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of your Hex"
chain=input action=drop src-address-list=Port_Scanner
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 4:34 pm
by msatter
And I'm sorry for incorrect sequence:

chain=input action=accept protocol=tcp psd=21,3s,3,1 src-address="IP of your Hex"
chain=input action=drop src-address-list=Port_Scanner
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w
Not....I mean you have to use not (!) so you need only one line.
add chain= input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 src-address=!"IP of your Hex" address-list=Port_Scanner address-list-timeout=1w

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 6:06 pm
by ingdaka
I will suggest you an other thing, remove firewall roles from switch, because switches get more CPU usage form firewall roles!

Re: HELP Firewall Rules

Posted: Sat Apr 28, 2018 6:23 pm
by anav
Hi there, I do something very similar.........
(I have two WAN IPs, otherwise I would have probably used in-interface WAN)
.....
IP Filter
{Port Scans TCP make list}
   chain=input action=add-src-to-address-list protocol=tcp dst ports=23, 53,123,445,8291 in-interface list-WAN address-list=port_scans_tcp-timeout=2d
{Port Scans UDP make list}
   chain=input action=add-src-to-address-list protocol=tcp dst ports=23, 53,123,445,8291 in-interface list-WAN address-list=port_scans_udp-timeout=2d
Then I use RAW fule (not filters) and PRE-ROUTING to kill the list entries before they enter the router at all (no tracking etc......)
....
IP RAW
{Drop Scans TCP}
   chain=prerouting action=drop src-address-list=port_scans_tcp
{Drop Scans UDP}
   chain=prerouting action=drop src-address-list=port_scans_udp