Community discussions

MikroTik App
 
Borage
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Sun Sep 26, 2004 10:19 pm

Feature request: Run script from firewall event

Wed Nov 20, 2013 2:30 am

I'm not sure if this would be useful. What do you think about the possibility to run a script from a firewall event?
You do not have the required permissions to view the files attached to this post.
 
User avatar
skot
Long time Member
Long time Member
Posts: 586
Joined: Wed Nov 30, 2011 3:05 am

Re: Feature request: Run script from firewall event

Wed Nov 20, 2013 10:22 am

Lol, nice screen.

While this option doesn't explicitly exist, you can do it a couple ways that I can think of.

The thing to keep in mind is that often a filter rule doesn't just match one packet but who knows how many, and you need a way to make sure your script is only being run once and not many times within a few seconds.

1. Create a filter rule that logs a matching packet with a unique prefix. Have a scheduled script check for new log entries every X seconds that contain this prefix. Store the date/time stamp in the comment of the schedule as a way to check that this is a new log entry. If a new log entry is found, the script is run. The interval that you set on the schedule would determine how often the script could possibly be run.

2. Basically the same as above except the filter rule would create an address list entry with a timeout of X seconds. The scheduled script would check for this address list entry and run the script.

These are more like workarounds, but depending on what you're trying to do they could probably be tweaked.
I don't need any karma... I have Ιησους Χριστος!
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6284
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Feature request: Run script from firewall event

Mon Nov 25, 2013 4:45 pm

first problem about this issue is that you make your router prone to DoS/DDoS attacks as a small amount of traffic with high enough packet rate could hog all the resources of the router.

more useful (but still dangerous) is to do remote logging and make some external box do the computation and adjust configuration of the router automatically depending on the information received by remote logging.
 
Borage
Member Candidate
Member Candidate
Topic Author
Posts: 170
Joined: Sun Sep 26, 2004 10:19 pm

Re: Feature request: Run script from firewall event

Tue Nov 26, 2013 10:36 am

Thanks for your opinion on this, it was just a thought. At a single occasion, I needed the ability to immediately trigger a script.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6284
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Feature request: Run script from firewall event

Tue Nov 26, 2013 3:25 pm

at first glance this does like neat idea, similar to firewall filter rule where instead of IP address one could enter FQDN, and it would be resolved on request. But when looking deeper - it is huge resource hog even through DNS request is cheaper than running script on event.
 
berisz
just joined
Posts: 2
Joined: Tue Dec 12, 2017 12:50 am

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 3:12 pm

+1
Dear MikroTik Support!
Please add the script run option to the firewall (Filter, NAT, Mangle, Raw,) actions!
 
erkexzcx
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon Oct 07, 2019 11:42 pm

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 5:24 pm

I would not find it useful right now, but this would open up so much possibilities. +1 from me.
make your router prone to DoS/DDoS attacks
Not true if Mikrotik adds frequency option. E.g. "Do not run script if it already has run in the past X seconds".
 
User avatar
Larsa
Member Candidate
Member Candidate
Posts: 204
Joined: Sat Aug 29, 2015 7:40 pm

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 6:32 pm

Instead of being forced to use static ip address lists only, it would be "most excellent" if there was a built-in DNSBL control as a firewall action "drop DNS blacklist lookup" that could be used for example during new connections (ie connection state new)

Drop DNS blacklist lookup.png
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6260
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 9:16 pm

It's completely different request. And there's a difference between some server using DNSBL to filter new connections (e.g. mailserver) and doing it with packets on router. The former has it easy, plenty of time, no rush. If it takes a second, no big deal, even more won't break things. Router needs much quicker decision what to do with packet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Larsa
Member Candidate
Member Candidate
Posts: 204
Joined: Sat Aug 29, 2015 7:40 pm

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 9:49 pm

Well yes, it should probably have had its own thread. Anyhow, I beg to differ regarding the latency as a local dnsbl call would only lag a few ms which is a very small (even tiny) cost compared to the functional value it would add.
 
Sob
Forum Guru
Forum Guru
Posts: 6260
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature request: Run script from firewall event

Thu Nov 19, 2020 10:48 pm

I can already see all those people who would add ten slow external lists, apply the action to every single packet and then complain how it doesn't work. :) But of course that's not necessarily the argument against it, current RouterOS already has enough ways how to break something.

Maybe it's doable. Netfilter has some user-space queuing where other process can decide what to do with packet, and someone already tried to use that for DNSBL: https://github.com/zevenet/packetbl
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: Baidu [Spider], devtomas2003, dioeyandika and 108 guests