My log is being cluttered with a lot of dropped ICMP packets that have the router's internal address both as source and destination. Here's an exempt from the log:
Code: Select all
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:40:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:45:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
Jan/07/2011 14:50:03 firewall,info "Drop incoming" input: in:(unknown) out:(none), proto ICMP (type 3, code 1), 10.110.5.1->10.110.5.1, len 64
These are my firewall filter rules (the relevant rules are marked in bold):
Thanks in advance,/ip firewall filter
add action=jump chain=input comment="Jump all incoming traffic whatsoever to a new chain for sanitization" \
disabled=no in-interface=WAN jump-target=sanitize
add action=jump chain=forward comment="" disabled=no in-interface=WAN jump-target=sanitize
add action=drop chain=sanitize comment="Drop invalid connections" connection-state=invalid disabled=no
add action=log chain=sanitize comment="Log and drop packets from blacklisted IPs" disabled=no log-prefix=\
"\"Packet dropped: Blacklisted IP (member of fagget list)\"" src-address-list=faggets
add action=drop chain=sanitize comment="" disabled=no src-address-list=faggets
add action=log chain=sanitize comment="" disabled=no log-prefix=\
"\"Packet dropped: Blacklisted IP (SSH failed login)\"" src-address-list=ssh_blacklist
add action=drop chain=sanitize comment="" disabled=no src-address-list=ssh_blacklist
add action=drop chain=sanitize comment="Drop packets from known port scanners" disabled=no src-address-list=\
port_scanners
add action=accept chain=sanitize comment="Accept established and related connections" connection-state=\
established disabled=no
add action=accept chain=sanitize comment="" connection-state=related disabled=no
add action=log chain=sanitize comment="Add new portscanners to address list log" disabled=no log-prefix=\
"\"IP blacklisted: port scanner\"" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners address-list-timeout=4w2d chain=sanitize comment=\
"" disabled=no protocol=tcp psd=21,3s,3,1
add action=return chain=sanitize comment="" disabled=no
add action=return chain=sanitize comment="" disabled=no
add action=jump chain=forward comment="SSH traffic filtering" disabled=no dst-port=22,2200 in-interface=WAN \
jump-target=ssh protocol=tcp
add action=accept chain=ssh comment="Accept all from whitelisted addresses" disabled=no protocol=tcp \
src-address-list=ssh_whitelist
add action=log chain=ssh comment="Log and blacklist immediately addresses attempting on port 22" \
connection-state=new disabled=no dst-port=22 log-prefix="\"IP blacklisted: SSH attempt on port 22\"" \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=4w2d chain=ssh comment="" \
connection-state=new disabled=no dst-port=22 protocol=tcp
add action=log chain=ssh comment="Log and blacklist after three unsuccessfull attempts to log in" \
connection-state=new disabled=no log-prefix="\"IP blacklisted: SSH Too many login attempts\"" protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=52w1d chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=ssh comment="" \
connection-state=new disabled=no protocol=tcp
add action=accept chain=ssh comment="Accept if not blacklisted" disabled=no protocol=tcp
add action=return chain=ssh comment="" disabled=no
add action=jump chain=input comment="Process UDP traffic separately" disabled=no jump-target=udp_chain \
protocol=udp
add action=accept chain=udp_chain comment="DHCP (need to be checked)" disabled=no dst-port=68 protocol=udp \
src-port=67
add action=drop chain=udp_chain comment="Drop DHT traffic" disabled=no dst-port=32459,56544 protocol=udp
add action=return chain=udp_chain comment="" disabled=no
add action=accept chain=input comment="Accept only ping requests from WAN" disabled=no icmp-options=8:0-255 \
in-interface=WAN protocol=icmp
add action=accept chain=input comment="Accept all ICMP traffic from LAN" disabled=no in-interface=LAN protocol=\
icmp
add action=accept chain=input comment="Accept IGMP multicast from modem (why\?)" disabled=no dst-address-type=\
multicast in-interface=WAN protocol=igmp
add action=accept chain=input comment="Accept Winbox communication" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="Accept FTP to router from local network" disabled=no in-interface=LAN
add action=accept chain=input comment="Accept DNS requests from internal network" disabled=no dst-port=53 \
in-interface=LAN protocol=udp
add action=jump chain=forward comment="Jump incoming traffic to gorbachov to new chain" disabled=no \
dst-address=10.110.1.1 in-interface=WAN jump-target=gorbachov protocol=tcp
add action=accept chain=gorbachov comment="Accept Bittorrent traffic" disabled=no dst-port=32459 protocol=tcp
add action=accept chain=gorbachov comment="Accept Deluge daemon and web interface traffic" disabled=no \
dst-port=58846,8112 protocol=tcp
add action=accept chain=gorbachov comment="Accept Hath traffic" disabled=no dst-port=60000 protocol=tcp
add action=return chain=gorbachov comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to stalin to new chain" disabled=no dst-address=\
10.110.1.2 in-interface=WAN jump-target=stalin protocol=tcp
add action=accept chain=stalin comment="Accept HTTP traffic" disabled=no dst-port=80 protocol=tcp
add action=return chain=stalin comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to jeltsin to new chain" disabled=no dst-address=\
10.110.3.1 in-interface=WAN jump-target=jeltsin
add action=accept chain=jeltsin comment="Accept Bittorrent traffic (for \B5Torrent)" disabled=no dst-port=56544 \
protocol=tcp
add action=accept chain=jeltsin comment="Accept RDP traffic" disabled=no dst-port=3389 protocol=tcp
add action=accept chain=jeltsin comment="Accept DC++ (TCP, UDP and TLS)" disabled=no dst-port=9997-9998 \
protocol=tcp
add action=accept chain=jeltsin comment="" disabled=no dst-port=9999 protocol=udp
add action=return chain=jeltsin comment="" disabled=no
add action=jump chain=forward comment="Jump incoming traffic to oxygen to new chain" disabled=no dst-address=\
10.110.1.10 in-interface=WAN jump-target=oxygen
add action=accept chain=oxygen comment="Accept SSH traffic" disabled=no dst-port=9122 protocol=tcp
add action=accept chain=oxygen comment="Accept HTTP traffic" disabled=no dst-port=9180 protocol=tcp
add action=return chain=oxygen comment="" disabled=no
add action=accept chain=forward comment="Accept all outgoing traffic by default" disabled=no out-interface=WAN
add action=reject chain=input comment="Reject ident packets" disabled=no dst-port=113 in-interface=WAN \
protocol=tcp reject-with=icmp-protocol-unreachable
add action=log chain=input comment="Log and drop everything else" disabled=no log-prefix="\"Drop incoming\""
add action=log chain=forward comment="" disabled=no log-prefix="\"Drop incoming (forward)\""
add action=drop chain=input comment="" disabled=no
add action=drop chain=forward comment="" disabled=no
negge