Yes, time lag is very short. Less than 2 seconds.
Q1. Simple answer, of course, is "that depends". I do have services that I have open to the wild, so in my case I do want to stop someone trying to gain access through those services. If you don't have any services published, and are just a consumer of the internet, then certainly that removes a big reason for doing so. Just be sure that you really don't have any services published...like IOT devices.
Q2. Yes, Suricata can be used to scan outbound traffic looking for potential threats. I do some of this, minimal, but it is supported. Just make sure your filter on the sniffer is passing outbound traffic to Suricata.
Q3. You don't know what you don't know. Before I implemented this I ran suricata against my traffic to see what what happening. Like I said, in Indonesia I was seeing hundreds of hits an hour. On my server that is in the US, I was seeing maybe a dozen soft hits in a day, that the Mikrotik could handle with the basic firewall rules.
Great explanation Tom, it sounds a bit of what layer7 firewall does on the Mikrotik, looking for a pattern of packets etc..........
I have read that using layer7 rules really loads the MT CPU so what you in affect are doing is offloading such work and using the MT at the very front end and to implement the outcome(filter rules) (bad IPs). I imagine the time lag to sniff a packet and have the MT put up a rule or add IPs to an existing rule is very short?
Don't laugh but if I have my basic rules setup.
(my specific allow rules)
drop all else.
Q1. Do I really need all this IDS IDP, synflood, tarpit, blacklists etc etc etc........
In other words, I don't expect anybody to gain access to my router or on my devices based on unsolicited incoming traffic (inbound as you state).
However,. what I don't have control over is folks accessing sites or clicking on emails with bad stuff without knowing it.
Thus where I see the router coming into play is stopping bad outbound traffic (because returns from the bad actor will be allowed back in (established related) and thus one had to nip this before the traffic is allowed out. Thus some layer7 rules are probably a good idea here.
Q2. Does your program or methods address this aspect?
Q3. What is the difference between all the stuff you are managing and my simple technique of:
- adding raw rules to capture all probes on common ports (that I dont use, so prerouting capture has no negative effects).
- adding filter rules to capture all probes common ports I do use, but in order so after they have met my needs (for example DST port,,,,,,,,,,, - I only port forward with known WANIPs allowed source-address-list and to devices on own VLAN). Then in raw, I drop all those captured IPs. My logic good or bad is that I will stop the majority of bad actors for a set time be it 4hours or 2days and that is just as effective as any other set of blacklists etc...........
However, why bother when I already have drop rules on my router (other than stopping repeated attempts or multi port attempts at router).
Any input or clarification or guidance most appreciated as I know very little on this front and always willing to learn.