Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall question

Post Reply
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Firewall question

Wed Jul 17, 2019 5:53 pm

Hello folks.
In this moment, i have the following firewall rules:
Code: Select all
chain=forward action=add-src-to-address-list connection-state=new connection-limit=5000,32 protocol=tcp address-list=3rdAlertSPAM address-list-timeout=none-static out-interface=ETH1 dst-port=25,587 limit=5k/12h,0:packet log=no log-prefix=""
chain=forward action=add-src-to-address-list connection-state=new connection-limit=500,32 protocol=tcp address-list=2ndAlertSPAM address-list-timeout=1 out-interface=ETH1 dst-port=25,587 limit=500/1h,0:packet log=no log-prefix=""
chain=forward action=add-src-to-address-list connection-state=new connection-limit=50,32 protocol=tcp address-list=1stAlertSPAM address-list-timeout=5m out-interface=ETH1 dst-port=25,587 limit=50/30s,0:packet log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=1stAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=2ndAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""
chain=forward action=drop protocol=tcp src-address-list=3rdAlertSPAM out-interface=ETH1 dst-port=25,465 log=no log-prefix=""
What i want to accomplish is:
  • If more than 50 emails are sent in less than 30 seconds, the IP is blocked for 5 minutes.
  • If more than 500 emails are sent in less than 1 hour, the IP is blocked for 1 hour.
  • If more than 5,000 emails are sent in less than 12 hours, the IP is permanently blocked.
And i have some trouble to make this thing work. Someone can point me to the right direction?
Last edited by webix on Wed Jul 17, 2019 11:52 pm, edited 1 time in total.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11235
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall question

Wed Jul 17, 2019 7:33 pm

There is no constant relation between the number of e-mail messages (which may be of a very different size each) and the number of packets or bytes transported by a connection, so there is no way to limit by number of messages, only by number of bytes (comparison works up to 4 GB).

Another problem is that you can only count bytes during a single connection which is ephemeral, so if the address would disconnect and re-connect again, the counter would be reset. Vice versa, to drop down an ongoing connection you'd need to have an action=drop src-address-list=spam-blacklist rule before the "accept established" one in your forward chain, because otherwise already established connections would continue even though the remote address would be blacklisted.

Yet another possibility would be to use a script to create a counter rule for each new remote address, which could then count both packets and bytes across the individual connections, but I'm afraid both RAM and flash would protest against such method.
Top
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Re: Firewall question

Wed Jul 17, 2019 11:51 pm

Hello sindy.

Thank you for informing that.
If i am not mistaken, "connection-state=new" means that take into account only the new connections, not the related or established connections. Right?
The "connection-limit=50,32" means that is a limit of 49 connections from same IP, no?
And finally "limit=50/30s,0:packet" means it's 49 packets allowed over 30 seconds, if i am not mistaken.

So... All these combined on same rule i guess it will count the 1st packet from a new connection from same IP address. Or i am mistaken? If that is right, what is the difference if it's the 1st packet of the connection that will send the email, or the email itself? Isn't the final result the same?

Regards
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11235
Joined: Mon Dec 04, 2017 9:19 pm

Re: Firewall question

Thu Jul 18, 2019 12:14 am

It is not, because decent systems aggregate tasks, so they send more than one message through the same connection, and usually keep TCP connections open for a while after use for the case that something more would need to be transported the same way. It has to do with reuse of client side TCP ports.

Even if you could assume that each message has its own dedicated connection, you'd still have to create an individual rule with nth matcher for each newly encountered remote address, so it would again mean scripting and stress for the flash.
Top
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Re: Firewall question

Thu Jul 18, 2019 12:55 am

So... what do you suggest?
I don't have mail clients inside my network. Only mail servers.

Regards
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13060
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall question

Thu Jul 18, 2019 9:06 am

SMTP servers have all the information needed to make educated decision about rate limiting. Some SMTP servers support limiting incoming mail rate.
Top
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Re: Firewall question

Thu Jul 18, 2019 9:16 am

Yes. I know. But most of the servers I have are unmanaged by us. They are rented to our clients.

So, I have 2 solutions:
  • Configure firewall rules to limit the SMTP connections.
  • Redirect SMTP ports on router to a transparent SMTP filtering.
Any idea on how to do this out on the router?
Top
Post Reply
  4. RouterOS
  5. General