Community discussions

MikroTik App
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

scripting for firewall and sorting ports

Thu Sep 17, 2009 5:00 pm

i need help


i need i script that will create
ip firewall filter add chain=forward action=accept port
=1

till 6000

so it will have 6000 filters in my mikrotik router can any1 help me with a script to create this

and what must the chain be if i what it to just do incomming ports from the net input output or forward?
If i dont No Ask someone That Does!
 
User avatar
skillful
Trainer
Trainer
Posts: 557
Joined: Wed Sep 06, 2006 1:42 pm
Location: Abuja, Nigeria
Contact:

Re: scripting for firewall and sorting ports

Thu Sep 17, 2009 6:31 pm

:for x from=1 to=6000 do={/ip firewall filter add chain=forward action=accept protocol=tcp port=$x; /ip firewall filter add chain=forward action=accept protocol=udp  port=$x}
For you to specify ports, you must also specify protocol. The script will create 12000 rules, i.e. 6000 rule for TCP and another 6000 rules for UDP
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: scripting for firewall and sorting ports

Thu Sep 17, 2009 7:37 pm

6000 rules is madness
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 5:04 am

If you want to specify a range ports you could do something like:
/ip firewall filter add chain=forward protocol=tcp port=1-6000
/ip firewall filter add chain=forward protocol=udp port=1-6000
Doug
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 9:16 am

thanks for the help i know 6000 filters are madness
but its for monitoring for a week so i can improve on my firewall

ill dorp the 6000 rules when im done with he groups im looking at


for example 1-11

12-25

26-110 etc

and thats what i want to do
work on improvments
If i dont No Ask someone That Does!
 
conjurer
Member Candidate
Member Candidate
Posts: 110
Joined: Mon Jul 21, 2008 9:46 pm

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 10:34 am

I doubt it would work with 6000 filters. It's just a cpu killer.
Better make 60 filters with ranges 1-100, 101-200, 201-300 and so on.
After a week investigate more deeply into most used ranges.
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 2:52 pm

thats maybe true will see what ill do thanks for the information
If i dont No Ask someone That Does!
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:05 pm

question i added it to the firewall it worked 100 % added it to the top of the list but rx bytes and tx bytes stay at 0 can anyone tell me why
If i dont No Ask someone That Does!
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:06 pm

question i added it to the firewall it worked 100 % added it to the top of the list but rx bytes and tx bytes stay at 0 can anyone tell me why
If i dont No Ask someone That Does!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:14 pm

even on port 80, for example?..
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:19 pm

all of them even port 80
If i dont No Ask someone That Does!
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:21 pm

no port 80 240b 5 packets but i have a constant 460 connections to the net any ideas
If i dont No Ask someone That Does!
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8394
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:23 pm

no ideas. some misconfiguration =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Fri Sep 18, 2009 3:29 pm

hmmmm thats no good ill try this again!
If i dont No Ask someone That Does!
 
conjurer
Member Candidate
Member Candidate
Posts: 110
Joined: Mon Jul 21, 2008 9:46 pm

Re: scripting for firewall and sorting ports

Tue Sep 22, 2009 9:45 am

post your /ip firewall export
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Tue Sep 22, 2009 1:53 pm

ill export it tonight


any idea if this is right


:for x from=1 to=254 do={"/ip firewall address-list add address=10.0.0."$x "comment="" disabled=no list=smtp-allow"}
If i dont No Ask someone That Does!
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: scripting for firewall and sorting ports

Tue Sep 22, 2009 5:38 pm

/ip firewall address-list add address=10.0.0.0/24 comment="" disabled=no list=smtp-allow

Why not just add that whole subnet as above and make it more efficient?

:for x from=1 to=254 do={/ip firewall address-list add address="10.0.0.$x" comment="" disabled=no list=smtp-allow}
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Tue Sep 22, 2009 8:58 pm

it does true but if i want to disable 10.0.0.11 and 10.0.0.25 etc so i can block port 25 per user
easyer to regulate each ip address
If i dont No Ask someone That Does!
 
xezen
Long time Member
Long time Member
Topic Author
Posts: 628
Joined: Fri May 30, 2008 10:23 am
Location: South Africa

Re: scripting for firewall and sorting ports

Tue Sep 22, 2009 9:05 pm

this is all i got at this point
/ip firewall filter
add action=drop chain=input comment="" disabled=no dst-port=8001 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=8001 \
in-interface=ether2 protocol=tcp
add action=drop chain=input comment="" disabled=no dst-port=8001 \
in-interface=ether3 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=\
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input comment="" connection-state=new \
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=forward comment="SMTP-ALLOW " disabled=no dst-port=25 \
protocol=tcp src-address-list=smtp-allow
add action=accept chain=forward comment="" disabled=no dst-address-list=\
smtp-allow dst-port=25 protocol=tcp
add action=drop chain=forward comment="SMTP Drop" disabled=no dst-port=25 \
protocol=tcp
If i dont No Ask someone That Does!

Who is online

Users browsing this forum: No registered users and 43 guests