Last FW rule (Default one) is like this:
Code: Select all
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix= FW_Drop_all_from_WAN
.
So one rule above this I did add:
Code: Select all
add action=add-src-to-address-list address-list=FW_Block_user_try_unkown_port address-list-timeout=30m chain=\
input comment="This is used to collect user who tries none open ports." in-interface=ether1-Wan
.
Then close to the topp this access rules blocks the users in the access list to prevent them from trying more port.
Code: Select all
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan src-address-list=FW_Block_user_try_unkown_port
Now looking at Splunk, number of hits in the last rule goes down from more than 400 hits pr 5 min to less then 10 minutes. (after 21:30)
Look at the graph: Graph made by using Splunk: viewtopic.php?t=137338