Community discussions

 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

remove IP on address-list from active connections?

Thu Jun 28, 2018 2:06 pm

I have some firewall-rules in place that will add bruteforcing IPs to a blacklist, but I have the problem that these "established" connections won't be terminated. There is a drop rule in Firewall-Raw but the IP still gets matched in the "add to address list" rule. Any ideas?
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 993
Joined: Fri Jul 28, 2017 2:53 pm

Re: remove IP on address-list from active connections?

Thu Jun 28, 2018 2:29 pm

I believe that your rules are in conntracker, because the rules with the address list is under the rules that accept these connections
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: remove IP on address-list from active connections?

Thu Jun 28, 2018 3:04 pm

Yes I also believe the next bruteforce tries get matched by fasttrack established/related, but how to remove the affected IP from conntrack? :(
 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 993
Joined: Fri Jul 28, 2017 2:53 pm

Re: remove IP on address-list from active connections?

Thu Jun 28, 2018 4:12 pm

Don't have winbox right now, need time to study the question. I don't think that with rules to add addresses to address list and then drop the traffic, it will apears in conntracker.
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: remove IP on address-list from active connections?

Fri Jun 29, 2018 11:29 am

I don't think that with rules to add addresses to address list and then drop the traffic, it will apears in conntracker.
I've already placed an additional drop rule right after the "add addresses to address list" rule, but it is never triggered. It seems once the packet is matched by the "add addresses to address list" it jumps out of the filter and is not processed by the following rules! Is this a bug?
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: remove IP on address-list from active connections?

Fri Jun 29, 2018 11:40 am

To remove a tracked connection you have to use a script.

So I'd recommend to add the annoying sources to two address lists, one dropping new packets from the same source in /ip firewall raw and another one (called e.g. catch-list) used by the script scheduled to run every second, read addresses from that list into an array and then foreach through that array with
counter=badip do={
  /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
  /ip firewall address-list remove [find list=catch-list address=$badip]
}
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: remove IP on address-list from active connections?

Fri Jun 29, 2018 12:18 pm

Could you please share the script part that read addresses from that list into an array? This list is rather large, isn't the array size limited? Why it's not possible to use only one address-list?
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: remove IP on address-list from active connections?

Fri Jun 29, 2018 12:56 pm

Could you please share the script part that read addresses from that list into an array?

{
  :local worklist;
  :foreach counter=id in=[/ip firewall address-list find list=catch-list] do={set test ($worklist,[/ip firewall address-list get $id address])};
  :foreach counter=badip in=$worklist do={
    /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
    /ip firewall address-list remove [find list=catch-list address=$badip]
  }
}

This list is rather large, isn't the array size limited?
Maybe there is a limit, but the script is expected to handle only new arrivals since its last run, and these should form up a much shorter list.

You only need to use the array if you want to remove each address from the list after you remove the connections. So you can schedule the script above for periodic run, and you can use once manually a similar script which runs through the list to which the raw rule refers and just delete the connections without deleting the addresses from the list:
{
  :foreach counter=id in=[/ip firewall address-list find list=catch-list] do={
    :set badip [/ip firewall address-list get $id address];
    /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
  }
}


Why it's not possible to use only one address-list?
Because you need to let the script deal only with newly added addresses, so after processing of each address you have to remove it from the list so that you wouldn't waste resources by attempting to handle it again in the next run of the script. And at the same time you need that new packets from these addresses do not establish connections again, so they have to remain in the list forever and a day. So you need two lists.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 48 guests