Hi,
I'm currently facing a significant increase of ports scans, winbox tentative connections (I think due to the recent exploit published https://github.com/BigNerd95/Chimay-Red) and a lot of other intrusion tentatives.
In order to cope with this situation, I put in place a mechanism in the firewall such to automatically add to a blacklist address list all of those IPs that are trying to connect on a particular port of the router (INPUT chain). This is quite effective, since a lot of requests are everyday dropped and a lot of IPs added to the list.
What I would like to know, is if there were the possibility to have some kind of asyncronous rule, such that if I run a ping command (for instance) from the router terminal to one of the blacklisted IPs, it will get through. But I want this only if the ping started from the router (or behind it), while denying requests that come from the WAN side without being initiated from the router.
This issue is only at the router level, all the devices in the LAN are able to get through this problem (since they belong to the FORWARD chain, I guess).
Does anyone of you if this is possible to be done?
Thanks
Re: Asyncronous filtering for blacklisted addresses
The key is to work with connection tracking which is quite a normal approach.
To save CPU, you want to only evaluate complex rules for the first packet of each connection, so as the very first rule in a chain, you put. After that, you put rules for first packets of a connection, which may be much more complex because they are evaluated for a small number of packets.
And if, in such arrangement, you use your blacklist of attackers as in chains and in rules following the one above, you prevent new connections (or rather connection attempts) coming from these addresses from establishing, but if it is you who establishes these connections by sending the packet to one of these addresses first, the response packets of such connections get accepted by the first rule, which is exactly what you wanted.
icmp echo connections are also tracked and told from one another by the combination of local and remote address and the icmp "identifier" protocol field.
To save CPU, you want to only evaluate complex rules for the first packet of each connection, so as the very first rule in a chain, you put
Code: Select all
action=accept connection-state=established,relatedAnd if, in such arrangement, you use your blacklist of attackers as
Code: Select all
src-address-listCode: Select all
inputCode: Select all
forwardCode: Select all
action=dropicmp echo connections are also tracked and told from one another by the combination of local and remote address and the icmp "identifier" protocol field.