2023-05-31 10:01:38 +02:00
Download, import and update firewall address-lists
==================================================
2024-03-06 14:30:18 +01:00
[](https://github.com/eworm-de/routeros-scripts/stargazers)
[](https://github.com/eworm-de/routeros-scripts/network)
[](https://github.com/eworm-de/routeros-scripts/watchers)
[](https://mikrotik.com/download/changelogs/)
[](https://t.me/routeros_scripts)
[](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
2023-05-31 10:01:38 +02:00
[⬅️ Go back to main README ](../README.md )
> ℹ ️
> installation. See [main README](../README.md) for details.
Description
-----------
This script downloads, imports and updates firewall address-lists. Its main
purpose is to block attacking ip addresses, spam hosts, command-and-control
servers and similar malicious entities. The default configuration contains
2023-06-09 16:03:36 +02:00
lists from [abuse.ch ](https://abuse.ch/ ) and
2023-06-09 16:03:45 +02:00
[dshield.org ](https://dshield.org/ ), and
lists from [spamhaus.org ](https://spamhaus.org/ ) are prepared.
2023-05-31 10:01:38 +02:00
The address-lists are updated in place, so after initial import you will not
see situation when the lists are not populated.
To mitigate man-in-the-middle attacks with altered lists the server's
certificate is checked.
Requirements and installation
-----------------------------
Just install the script:
$ScriptInstallUpdate fw-addr-lists;
And add two schedulers, first one for initial import after startup, second
one for subsequent updates:
/system/scheduler/add name="fw-addr-lists@startup " start-time=startup on-event="/system/script/run fw-addr-lists;";
/system/scheduler/add name="fw-addr-lists" start-time=startup interval=2h on-event="/system/script/run fw-addr-lists;";
> ℹ ️
> use less than half of the configured timeout for expiration.
Configuration
-------------
The configuration goes to `global-config-overlay` , these are the parameters:
* `FwAddrLists` : a list of firewall address-lists to download and import
* `FwAddrListTimeOut` : the timeout for expiration without renew
> ℹ ️
> [`global-config`](../global-config.rsc) (the one without `-overlay`) to
> your local `global-config-overlay` and modify it to your specific needs.
Naming a certificate for a list makes the script verify the server
certificate, so you should add that if possible. Some certificates are
available in my repository and downloaded automatically. Import it manually
(menu `/certificate/` ) if missing.
Create firewall rules to process the packets that are related to addresses
2024-02-23 11:19:56 +01:00
from address-lists.
### IPv4 rules
This rejects the packets from and to IPv4 addresses listed in
address-list `block` .
2023-05-31 10:01:38 +02:00
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
You may want to have an address-list to allow specific addresses, as prepared
with a list `allow` . In fact you can use any list name, just change the
default ones or add your own - matching in configuration and firewall rules.
/ip/firewall/filter/add chain=input src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ip/firewall/filter/add chain=output dst-address-list=allow action=accept;
Modify these for your needs, but **most important ** : Move the rules up in
chains and make sure they actually take effect as expected!
Alternatively handle the packets in firewall's raw section if you prefer:
/ip/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ip/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ip/firewall/raw/add chain=output dst-address-list=block action=drop;
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
2024-02-23 11:19:56 +01:00
### IPv6 rules
These are the same rules, but for IPv6.
Reject packets in address-list `block` :
/ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
Allow packets in address-list `allow` :
/ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
Drop packets in firewall's raw section:
/ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
2023-05-31 10:01:38 +02:00
---
[⬅️ Go back to main README ](../README.md )
[⬆️ Go back to top ](#top )
