Community discussions

MUM Europe 2020
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sun Oct 14, 2018 7:54 pm

Large blacklists for firewall

Fri Feb 14, 2020 12:14 pm

Hello everyone,

Does anyone have any experience with large block lists?

I am running an email server and get hit with brute force password attacks from IPs that are commonly found in blacklists.

Although the server features and is set up for automatic lockout of IPs that do multiple attempts at passwords, i would like to move this to firewall.

Does anyone have any experience in what kind of a hit on performance a 11k line blacklist makes to the router? The router is a RB3011.

regards
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1068
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Large blacklists for firewall

Fri Feb 14, 2020 3:14 pm

11K should be fine. I have 4,000 on an RB3011 and its no trouble. Use RAW rules something like this:

/ip firewall raw
add action=drop chain=prerouting disabled=yes in-interface=ether1 src-address-list=PortScanners
add action=add-src-to-address-list address-list=PortScanners address-list-timeout=2w chain=prerouting disabled=yes dst-port=10,25,333 in-interface=ether1 protocol=udp src-address-list=!WinboxAllow
add action=add-src-to-address-list address-list=PortScanners address-list-timeout=2w chain=prerouting disabled=yes dst-port=10,25,333 in-interface=ether1 protocol=tcp src-address-list=!WinboxAllow
 
msatter
Forum Guru
Forum Guru
Posts: 1378
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Large blacklists for firewall

Fri Feb 14, 2020 3:17 pm

Just try it out and used the following example.RSC file to import your IP list:
:global i do={ /ip firewall address-list add list=blacklist-email timeout=35w3d13:13:56 address="$a" }
:do { /ip firewall address-list remove [find where list=blacklist-email] } on-error={}
$i a=x.x.x.x
$i a=x.x.x.x
$i a=x.x.x.x
.
.
.
$i a=x.x.x.x
$i a=x.x.x.x
$i a=x.x.x.x
This will import the ip address (represented by x.x.x.x) very efficiently.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46.x / Winbox 3.21 / MikroTik APP 1.3.10
Android device owners, use https://github.com/M66B/NetGuard/releases (no root required)
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sun Oct 14, 2018 7:54 pm

Re: Large blacklists for firewall

Fri Feb 14, 2020 3:50 pm

Ok, thank you, i see that you both use address list timeouts.

Im i correct in understanding that this is so IPs that never get detected in the list get removed?

Also i see pre routing is used instead of input, this is to save routing overhead of CPU right?
 
mkx
Forum Guru
Forum Guru
Posts: 3745
Joined: Thu Mar 03, 2016 10:23 pm

Re: Large blacklists for firewall

Fri Feb 14, 2020 6:29 pm

Timeouts are used so that config doesn't get written to NV storage. Neither this part consumes space in exported config.

Pre-routing is used so that these connections get dropped for both input and forward ... and they get dropped as soon as possible.
BR,
Metod

Who is online

Users browsing this forum: Andrejm, Google [Bot] and 154 guests