Page 1 of 1

remove IP on address-list from active connections?

Posted: Thu Jun 28, 2018 2:06 pm
by dadaniel
I have some firewall-rules in place that will add bruteforcing IPs to a blacklist, but I have the problem that these "established" connections won't be terminated. There is a drop rule in Firewall-Raw but the IP still gets matched in the "add to address list" rule. Any ideas?

Re: remove IP on address-list from active connections?

Posted: Thu Jun 28, 2018 2:29 pm
by Anumrak
I believe that your rules are in conntracker, because the rules with the address list is under the rules that accept these connections

Re: remove IP on address-list from active connections?

Posted: Thu Jun 28, 2018 3:04 pm
by dadaniel
Yes I also believe the next bruteforce tries get matched by fasttrack established/related, but how to remove the affected IP from conntrack? :(

Re: remove IP on address-list from active connections?

Posted: Thu Jun 28, 2018 4:12 pm
by Anumrak
Don't have winbox right now, need time to study the question. I don't think that with rules to add addresses to address list and then drop the traffic, it will apears in conntracker.

Re: remove IP on address-list from active connections?

Posted: Fri Jun 29, 2018 11:29 am
by dadaniel
I don't think that with rules to add addresses to address list and then drop the traffic, it will apears in conntracker.
I've already placed an additional drop rule right after the "add addresses to address list" rule, but it is never triggered. It seems once the packet is matched by the "add addresses to address list" it jumps out of the filter and is not processed by the following rules! Is this a bug?

Re: remove IP on address-list from active connections?

Posted: Fri Jun 29, 2018 11:40 am
by sindy
To remove a tracked connection you have to use a script.

So I'd recommend to add the annoying sources to two address lists, one dropping new packets from the same source in /ip firewall raw and another one (called e.g. catch-list) used by the script scheduled to run every second, read addresses from that list into an array and then foreach through that array with
counter=badip do={
  /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
  /ip firewall address-list remove [find list=catch-list address=$badip]
}

Re: remove IP on address-list from active connections?

Posted: Fri Jun 29, 2018 12:18 pm
by dadaniel
Could you please share the script part that read addresses from that list into an array? This list is rather large, isn't the array size limited? Why it's not possible to use only one address-list?

Re: remove IP on address-list from active connections?

Posted: Fri Jun 29, 2018 12:56 pm
by sindy
Could you please share the script part that read addresses from that list into an array?

{
  :local worklist;
  :foreach counter=id in=[/ip firewall address-list find list=catch-list] do={set test ($worklist,[/ip firewall address-list get $id address])};
  :foreach counter=badip in=$worklist do={
    /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
    /ip firewall address-list remove [find list=catch-list address=$badip]
  }
}

This list is rather large, isn't the array size limited?
Maybe there is a limit, but the script is expected to handle only new arrivals since its last run, and these should form up a much shorter list.

You only need to use the array if you want to remove each address from the list after you remove the connections. So you can schedule the script above for periodic run, and you can use once manually a similar script which runs through the list to which the raw rule refers and just delete the connections without deleting the addresses from the list:
{
  :foreach counter=id in=[/ip firewall address-list find list=catch-list] do={
    :set badip [/ip firewall address-list get $id address];
    /ip firewall connection remove [find src-address~"^$badip(:|\$)"];
  }
}


Why it's not possible to use only one address-list?
Because you need to let the script deal only with newly added addresses, so after processing of each address you have to remove it from the list so that you wouldn't waste resources by attempting to handle it again in the next run of the script. And at the same time you need that new packets from these addresses do not establish connections again, so they have to remain in the list forever and a day. So you need two lists.