addr-list delay

dadaniel · Tue Jul 30, 2013 4:03 pm

Based on several mikrotik examples found in www, I put in the following firewall rules to protect our mail server from getting bruteforced:

add address=213.47.xxx.xxx/28 list=ournetwork
add address=192.168.0.0/24 list=ournetwork

add action=drop chain=forward comment="block POP3 bruteforcers" src-address-list=pop3_blacklist

add chain=forward comment="allow 4 wrong POP3 logins per minute" content="-ERR Authentication failed" dst-address-list=!ournetwork dst-limit=1/1m,4,dst-address/1m protocol=tcp src-port=110

add action=jump chain=forward comment="put source IP on blocklist for one week after the 5th wrong POP3 login" content="-ERR Authentication failed" dst-address-list=!ournetwork jump-target="log and add to POP3 addr-list" protocol=tcp src-port=110

add action=log chain="log and add to POP3 addr-list"
add action=add-dst-to-address-list address-list=pop3_blacklist address-list-timeout=1w chain="log and add to POP3 addr-list"

This usually works good, but sometimes I notice the following log entrys:

pop3log.jpg

As you can see the IP is always the same although it should be already in the addr-list and therefore beeing blocked.

Any ideas?
Is there a delay how often addr-list is being read?

SurferTim · Tue Jul 30, 2013 4:14 pm

Maybe I have it backwards here, but isn't it the src-address you want to add to that address list and block? The dst-address would be your email server ip.

edit: I have it backwards. I see what you are doing. You are watching for the error message in the response packet and blocking the dst-address of that packet.

Is that ip in the address list? If it is, then insure you are blocking the request from the client. You are adding the dst-address of the fail packet (response to client), but you want to block that src-address on any further port 110 requests from that client.

dadaniel · Tue Jul 30, 2013 4:52 pm

Is that ip in the address list? If it is, then insure you are blocking the request from the client. You are adding the dst-address of the fail packet (response to client), but you want to block that src-address on any further port 110 requests from that client.

Sorry, i forgot to paste the block rule above. So yes I'm blocking them but it seems that it takes minutes to show up in addr-list.

SurferTim · Tue Jul 30, 2013 7:52 pm

I've been playing with the content setting with web browsers. I found that must match that string exactly (case sensitive). And web browsers have a tendency to use their cache if you do not hold down the shift key when reloading the page. If you don't use the shift key, you can reload that page and it will not show up in the address list again until the TTL of the web page expires.

And when it matches, the entry in the address-list is immediate.

Are you sure the response packet contains that string every time those requests are made?

edit: This is the only difference between adding the ip to the address list and logging it, right?

dst-limit=1/1m,4,dst-address/1m

PeterSullivan · Wed Jul 31, 2013 3:12 pm

is this only for client purpose. or it also effect the Adminstrative data-sheet.

addr-list delay

addr-list delay

Re: addr-list delay

Re: addr-list delay

Re: addr-list delay

Re: addr-list delay