Community discussions

MikroTik App
 
jack14
just joined
Topic Author
Posts: 11
Joined: Thu Oct 10, 2019 12:26 pm

Firewall filter hits multiple rules

Thu Apr 22, 2021 10:57 am

Dear all,
I have some firewall filter rules to limit login attempts on a FTP server behind the router. The rules are
add action=drop chain=forward comment="drop FTP bruteforcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=1w chain=forward comment="FTP bruteforcers to list" \
    content="530 Login incorrect" dst-address-list=ftp_2nd_fail protocol=tcp
add action=add-dst-to-address-list address-list=ftp_2nd_fail \
    address-list-timeout=1w chain=forward content="530 Login incorrect" \
    dst-address-list=ftp_1st_fail protocol=tcp
add action=add-dst-to-address-list address-list=ftp_1st_fail \
    address-list-timeout=1w chain=forward content="530 Login incorrect" \
    protocol=tcp
    
The rules work as expected in limit the login to 3 attempts, but somehow the packets hits multiple rules.
I mean, when there is a first incorrect login, the destination IP is added to ftp_1st_fail address list, but when the same IP tries another login and fails, this IP is added to ftp_2nd_fail, but also again in ftp_1st_fail, meaning the timeout is set again to 1 week.
How is it that and how, if possible, can i prevent this from happening?
Thank you.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Firewall filter hits multiple rules

Thu Apr 22, 2021 1:29 pm

This is how rules works. Going from top to bottom until there are some stopping it.
So it will be added to 1st list even if its already added to 2nd list and with 1 week that will for sure happen.

I do use these rules to block multiple login on ftp over a 2 hour time period.
add action=jump chain=forward comment="Brute Focre against port 21" dst-port=21 in-interface=ether1 jump-target=anti-bruteforce
add action=return chain=anti-bruteforce dst-limit=1/1h,2,src-address/2h
add action=add-src-to-address-list address-list=List_Brute_Force address-list-timeout=1w3d chain=anti-bruteforce
Normal a user starts and FTP session once a while. If some one tries with wrong password, it will try many times and at last be added to the block list and in user will then be blocked for 10 days by a rule in raw
/ip firewall raw
add action=drop chain=prerouting  dst-port=21  in-interface=ether1 protocol=tcp src-address-list=List_Brute_Force
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Firewall filter hits multiple rules

Thu Apr 22, 2021 2:34 pm

Quick question Jotne,
Do you run many servers?
What would be the difference of simply using a drop all rule at the end of your input chain and forward chain (which would drop all those attempts anyway).
What am I missing?
 
jack14
just joined
Topic Author
Posts: 11
Joined: Thu Oct 10, 2019 12:26 pm

Re: Firewall filter hits multiple rules

Thu Apr 22, 2021 7:58 pm

This is how rules works. Going from top to bottom until there are some stopping it.
I know that firewall rules are evaluated top to bottom until a packet hit one of them. According to this, I think that my rules should work like this:
  1. someone tries to connect to the FTP server with an invalid login, the 4th rule is hit and the IP added to ftp_1st_fail
  2. there is a second invalid login attempt from an IP already in ftp_1st_fail, the 3rd rule is hit, the IP is added to ftp_2nd_fail and the process stop
and so on until the IP is added to ftp_blacklist and all subsequent login attempt is blocked.
But I see that a packet that should get caught by 3rd rule is also caught by 4rd rule.
What am I missing?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Firewall filter hits multiple rules

Thu Apr 22, 2021 8:13 pm

Quick question Jotne,
Just a couple of server. For me this works. I do have other ports in the same rule, not just FTP (21)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Firewall filter hits multiple rules

Thu Apr 22, 2021 8:16 pm

<removed>
Last edited by Jotne on Fri Apr 23, 2021 12:27 pm, edited 1 time in total.
 
jack14
just joined
Topic Author
Posts: 11
Joined: Thu Oct 10, 2019 12:26 pm

Re: Firewall filter hits multiple rules

Fri Apr 23, 2021 9:56 am

It seems that firewall behaviour is as you described, but according to the wiki:
When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action).

Who is online

Users browsing this forum: akakua, Bing [Bot], getfeus, melomac, menyarito and 53 guests