Community discussions

MUM Europe 2020
 
irico
newbie
Topic Author
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Firewall filter add to address list - decrease timeout

Tue Oct 30, 2018 8:48 pm

I was doing tests with the "add src to address list" option of firewall filter rules and I have seen that the timeout can be increased, but I can not decrease it.

Add to list dynamically IP with timeout 1 minute. Upon receiving a package that meets the requirements, in the TEST list I see how it added with 1 minute timeout..
Then I change the rule so that the timeout is 10 minutes. Upon receiving a package that meets the requirements, in the TEST list I see how it increases to 10 minutes.
Then I change the rule so that the timeout is 10 seconds. Upon receiving a package that meets the requirements, in the TEST list I do not see any timeout changes.

ROS version: 3.43.4
.
/ip firewall filter add action=add-src-to-address-list address-list=TEST address-list-timeout=1m chain=input dst-port=5000 protocol=tcp

/ip firewall filter add action=add-src-to-address-list address-list=TEST address-list-timeout=10m chain=input dst-port=5000 protocol=tcp

/ip firewall filter add action=add-src-to-address-list address-list=TEST address-list-timeout=10s chain=input dst-port=5000 protocol=tcp
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Firewall filter add to address list - decrease timeout

Wed Oct 31, 2018 12:32 am

I doubt you can choose anything under the TCP timeout window. 10 Seconds is way to short.
 
mkx
Forum Guru
Forum Guru
Posts: 3607
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall filter add to address list - decrease timeout

Wed Oct 31, 2018 10:03 am

The rule adds to the list. If address is in the list already, the entry doesn't get changed. If you want to have different behaviours, you'll have to use more than one address list.
BR,
Metod
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Firewall filter add to address list - decrease timeout

Wed Oct 31, 2018 12:29 pm

It totally makes sense.
When increasing the timeout you are still sure that the action for all previously met rules are still fulfilled.
If you allow to decrease the timeout, that will mean than one rule can cancel the one that was met previously.
 
irico
newbie
Topic Author
Posts: 47
Joined: Thu Nov 10, 2016 5:35 pm

Re: Firewall filter add to address list - decrease timeout

Wed Oct 31, 2018 1:35 pm

I doubt you can choose anything under the TCP timeout window. 10 Seconds is way to short.
.
I am not talking about TCP timeout. I am talking about Address list timeout.
.
The rule adds to the list. If address is in the list already, the entry doesn't get changed. If you want to have different behaviours, you'll have to use more than one address list.
.
It really is not like that. If an IP is in the list, and goes through a rule that increases the time in that list, it works.
What I really want is to be able to remove an IP from a dynamic list with some "port-knock" type system
 
WeWiNet
Member Candidate
Member Candidate
Posts: 207
Joined: Thu Sep 27, 2018 4:11 pm

Re: Firewall filter add to address list - decrease timeout

Wed Oct 31, 2018 2:45 pm

A even simpler way is to add the "black listed" IP to a rule just before which "white list" it (accepts it)
It then can still run out in the black list but without any impact!

Can you make that work?
WeWiNet

**
MTCNA
hapac2, map, hap-lite, ltap-mini, RB4011 :-) !!!

Who is online

Users browsing this forum: comet48 and 37 guests