Community discussions

MikroTik App
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Run a script if a firewall rule is triggered

Wed May 27, 2020 10:28 pm

Dear all,
I am looking for a way to run a script if a firewall rule is triggered and pass the source IP that triggered the rule to the script.
I guess I could add the IP to a fw address list and regularly scan the address list by a scheduled script, but I am wondering if the gurus here know a more elegant/simpler way.
Thanks in advance!
Last edited by DL7JP on Thu May 28, 2020 11:39 am, edited 1 time in total.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 2:53 am

Yeah, mee too interested to know :-)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 10:46 am

Unfortunately, no other solution than the one you've found out yourself is currently available. I miss a script to be linked to a change of an address-list too. Just beware, scripts can still see dynamic items of address lists for about 5 seconds after they time out.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 5:42 pm

Why would you a function like this? I do ask, since If I do now the reason, I may see another way to solve this.
I do use Splunk to do handle stuff that I need to monitor.

Not a simle solution to solve this, but if you like to add an ip to an access list, and drop it.
# Send packet to chain "Demo" of its tcp/23
add action=jump chain=input dst-port=23 jump-target=Demo protocol=tcp
# In chain "Demo" add src address to address list "test_list"
add action=add-src-to-address-list address-list=test_list address-list-timeout=none-dynamic chain=Demo
# In chain "Demo" drop the packets
add action=drop chain=Demo
This script will print out all new address added to the list. Other stuff could be done as well.
global counter
if ([:len $counter] = 0) do={set counter -1}
local test -1
foreach i in=[/ip firewall address-list find where list="test_list"] do={
	set test ($test +1)
	:if ($test>$counter) do={
		:put [/ip firewall address-list get $i address]
	}
}
set counter $test
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 6:44 pm

Why would you a function like this?
Whenever you MacGyver, i.e. use the Mikrotik as a standalone solution for a specific case. My examples:
  • a customer wants to be alerted about a specific fault of some other equipment by flashes and whistles. OK, so you buy a signal tower from a renowned company which declares it can signal inactivity on an incoming TCP connection (so if that remote device stops sending packets periodically through that connection, it triggers the alert notification). And when that hi-tech thing arrives, you find out that once that TCP connection fails, a new one is rejected until you reboot the signal tower. The manufacturer refuses to provide a patch. So the solution is to find something small, undemanding on power requirements, capable to drive 24 V DC LEDs, with a case which can cover how the cable from the signal tower is terminated on multiple Ethernet connectors... the answer is Mikrotik Powerbox. And you need to monitor the other equipment (by watching its keepalives) but also a twin Powerbox & signal tower, to eliminate a SPOF in the monitoring part. So the monitored equipment must be actively pinging both the Tiks, and the Tiks must be pinging each other, and you monitor all this by adding dynamic items to address-list and starting to flash the lights once the items disappear.
  • a less exotic one, you want to check that some particular traffic exists on the right WAN interface, and if it doesn't, do something - send an alert, power-cycle a LTE modem...
  • it is a nightmare to calculate e.g. "2 hours 3 minutes 9 seconds from now" with the datetime format in ROS scripting, so it is much easier to create an address list item with this lifetime, and link the next action to expiration of this item (or, in another words, to the whole address-list becoming empty).
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 6:44 pm

@Jotne, good idea!
One can also detect changes in the address list by extending this script with such a logic:
for example doing a simple CRC-like summing over all important fields of all records and storing that in a global var...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Run a script if a firewall rule is triggered

Thu May 28, 2020 7:41 pm

it is a nightmare to calculate e.g. "2 hours 3 minutes 9 seconds from now" with the datetime format in ROS scripting, so it is much easier to create an address list item with this lifetime, and link the next action to expiration of this item (or, in another words, to the whole address-list becoming empty).
I did make a script over here viewtopic.php?p=790745#p790745 that convert time to epoch.

My hope is that MT make this as a built inn function to calculate time difference.

Here is the support reply to my question about ising ISO 8601 time format.
Thank you for the suggestion. I agree that the ISO 8601 makes sense and is understandable. I will report it as a feature request, but since it could affect many components, I can't promise if it will be implemented any time soon.
xxx
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Run a script if a firewall rule is triggered

Fri May 29, 2020 1:33 am

Why would you a function like this? I do ask, since If I do now the reason, I may see another way to solve this.
My application is quite simple: I grant access to certain services based on port knocking. Being well aware that this is not very secure, I want to monitor this, whereas I am only interested in new IPs that sucessfully authenticated via port knocking. This is easy to do by a couple of firewall rules like these:
/ip firewall filter
add action=add-src-to-address-list address-list=Port-Knock-1 address-list-timeout=1s chain=input  dst-port=3 protocol=tcp
add action=add-src-to-address-list address-list=Port-Knock-2 address-list-timeout=1s chain=input dst-port=5 protocol=tcp src-address-list=Port-Knock-1
add action=add-src-to-address-list address-list=Port-Knock-Safe address-list-timeout=2h chain=input dst-port=4 protocol=tcp src-address-list=Port-Knock-2
add action=drop chain=input  dst-port=3 protocol=tcp  src-address-list=Port-Knock-Seen
add action=add-src-to-address-list address-list=Port-Knock-Seen address-list-timeout=none-dynamic chain=input dst-port=3 log=yes log-prefix="LOGALERT " protocol=tcp src-address-list=Port-Knock-2
I can now regularly run a script to check the log for LOGALERT and notify me by email, Telegram, or whatever. But I hoped for a simpler solution where I could directly trigger a script from the fw rule.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Run a script if a firewall rule is triggered

Fri May 29, 2020 8:54 am

Not a simple solution, but I do monitor lots of stuff using Splunk (see my signature)
There is a specific view that show all filter rule action, so can see what is going on,

I do log my last port of chain in port-knock to Splunk, so can see who enters. So far its only me, since no automatic script tries to enter in correct order within time limit.

And I also have a strict policy, if you try to knock or test a port that is not open, block IP for 24 hours.
This way its very hard to enter my router with just trying scripted or manual.
This prevents also attack on my other ports, since many of the tester are scripts that when find one open port (eks 80), will try lots of stuff to enter.
My access list for blocked intruders do vary from 2000 to 15000 unique ip at any time.
address-list-timeout=none-dynamic
I do not give any permanent access. Just 1day. If I need permanent access, I add IP manually to the white list.
 
howdey57
Member Candidate
Member Candidate
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: Run a script if a firewall rule is triggered

Sat May 01, 2021 6:31 pm

Isn't the other option to get Mikrotik to create another firewall action to run a script?

Charles
 
User avatar
dlynes
newbie
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Run a script if a firewall rule is triggered

Thu Jan 06, 2022 3:26 pm

Item 3 of yours would probably be the simplest to implement.

Have a schedule to check your list once every 5 minutes to see if it's empty. If it's empty, trigger your job, and set a variable. Set a timer for 5 minutes to reset the variable, and then re-loop.

For your firewall rule that adds the addresses to the list, have it set for a 5m15s to 6m timeout, so that there's a bit of overlap between it and your list checker script schedule.
Why would you a function like this?
Whenever you MacGyver, i.e. use the Mikrotik as a standalone solution for a specific case. My examples:
  • a customer wants to be alerted about a specific fault of some other equipment by flashes and whistles. OK, so you buy a signal tower from a renowned company which declares it can signal inactivity on an incoming TCP connection (so if that remote device stops sending packets periodically through that connection, it triggers the alert notification). And when that hi-tech thing arrives, you find out that once that TCP connection fails, a new one is rejected until you reboot the signal tower. The manufacturer refuses to provide a patch. So the solution is to find something small, undemanding on power requirements, capable to drive 24 V DC LEDs, with a case which can cover how the cable from the signal tower is terminated on multiple Ethernet connectors... the answer is Mikrotik Powerbox. And you need to monitor the other equipment (by watching its keepalives) but also a twin Powerbox & signal tower, to eliminate a SPOF in the monitoring part. So the monitored equipment must be actively pinging both the Tiks, and the Tiks must be pinging each other, and you monitor all this by adding dynamic items to address-list and starting to flash the lights once the items disappear.
  • a less exotic one, you want to check that some particular traffic exists on the right WAN interface, and if it doesn't, do something - send an alert, power-cycle a LTE modem...
  • it is a nightmare to calculate e.g. "2 hours 3 minutes 9 seconds from now" with the datetime format in ROS scripting, so it is much easier to create an address list item with this lifetime, and link the next action to expiration of this item (or, in another words, to the whole address-list becoming empty).
 
jalcock
just joined
Posts: 2
Joined: Sun Jun 08, 2014 5:26 am

Re: Run a script if a firewall rule is triggered

Fri Jan 28, 2022 1:30 am

I need a script that does the following.

I have a Disney Circle on my LAN Side. The main purpose is allow my wife to control the kids Internet when needed via the app. What happens if the kids unplugged and shutoff the Circle. Full access to the Internet.

So, I am thinking a simple script that pings the Circle on the LAN side. If it does not respond, insert a firewall rule to block all Internet.

I figure I can run it every 15 minutes. No response, insert blocking rule. If it starts responding, take the rule out?

Thoughts?
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Run a script if a firewall rule is triggered

Fri Jan 28, 2022 7:15 am

Here was my solution to this. May not be elegant, but it serves my purpose. In my case, I wanted to trigger a script that would send Wake On Lan packets to one of two computer based on the last step of a port knock sequence. So what I did was set up the last port knock step to write a log entry. Then there is a script that reads the log looking for the log entry. If it finds the log entry, it send the WoL packets to whichever computer is specified. The script runs every minute.

Who is online

Users browsing this forum: A9691, hatred, mogiretony, mojojojo, tjanas94 and 80 guests