Hello all,
I am using the following in my input chain:
9 ;;; Add "port scanners" to address list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
10 X ;;; Add outside port scanners to list NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
11 X ;;; Add outside port scanners to list SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
12 X ;;; Add outside port scanners to list SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
13 X ;;; Add outside port scanners to list FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
14 X ;;; Add outside port scanners to list ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
15 X ;;; Add outside port scanners to list NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
16 ;;; Drop "port scanners" address list
chain=input action=drop src-address-list=port scanners
I am getting my own internal and public IP's showing up in my port scanners drop list, however. I hand out the public's by PPPoE and the router acts as a DNS caching server. I have a feeling that it has something to do with DNS, but I am unsure what. All clients use my router as 1st DNS, Google's as secondary.
Any ideas?
Re: Dropping port scanners issues
This is just a quick idea as opposed to a full though out answer:
Some of these rules, especially #9 will have a lot of false hits ... at least false in the sense that they are not portscans. Simple FTP or P2P can trigger them and they could be initiated from inside your network. So you will end up with internal addresses on the portscan IP list. Add another criteria to the rule to only look at traffic coming from the external interface or exclude the internal address range.
GL
Some of these rules, especially #9 will have a lot of false hits ... at least false in the sense that they are not portscans. Simple FTP or P2P can trigger them and they could be initiated from inside your network. So you will end up with internal addresses on the portscan IP list. Add another criteria to the rule to only look at traffic coming from the external interface or exclude the internal address range.
GL