From e19e33d0a80fe1b4520fe9dab05f6f8a96d6c574 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 31 May 2023 10:01:38 +0200 Subject: introduce fw-addr-lists --- doc/fw-addr-lists.md | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 doc/fw-addr-lists.md (limited to 'doc') diff --git a/doc/fw-addr-lists.md b/doc/fw-addr-lists.md new file mode 100644 index 0000000..98aedcc --- /dev/null +++ b/doc/fw-addr-lists.md @@ -0,0 +1,88 @@ +Download, import and update firewall address-lists +================================================== + +[⬅️ Go back to main README](../README.md) + +> ℹ️ **Info**: This script can not be used on its own but requires the base +> installation. See [main README](../README.md) for details. + +Description +----------- + +This script downloads, imports and updates firewall address-lists. Its main +purpose is to block attacking ip addresses, spam hosts, command-and-control +servers and similar malicious entities. The default configuration contains +a list from [dshield.org](https://dshield.org/). + +The address-lists are updated in place, so after initial import you will not +see situation when the lists are not populated. + +To mitigate man-in-the-middle attacks with altered lists the server's +certificate is checked. + +Requirements and installation +----------------------------- + +Just install the script: + + $ScriptInstallUpdate fw-addr-lists; + +And add two schedulers, first one for initial import after startup, second +one for subsequent updates: + + /system/scheduler/add name="fw-addr-lists@startup" start-time=startup on-event="/system/script/run fw-addr-lists;"; + /system/scheduler/add name="fw-addr-lists" start-time=startup interval=2h on-event="/system/script/run fw-addr-lists;"; + +> ℹ️ **Info**: Modify the interval to your needs, but it is recommended to +> use less than half of the configured timeout for expiration. + +Configuration +------------- + +The configuration goes to `global-config-overlay`, these are the parameters: + +* `FwAddrLists`: a list of firewall address-lists to download and import +* `FwAddrListTimeOut`: the timeout for expiration without renew + +> ℹ️ **Info**: Copy relevant configuration from +> [`global-config`](../global-config.rsc) (the one without `-overlay`) to +> your local `global-config-overlay` and modify it to your specific needs. + +Naming a certificate for a list makes the script verify the server +certificate, so you should add that if possible. Some certificates are +available in my repository and downloaded automatically. Import it manually +(menu `/certificate/`) if missing. + +Create firewall rules to process the packets that are related to addresses +from address-lists. This rejects the packets from and to ip addresses listed +in address-list `block`. + + /ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ip/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ip/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited; + +You may want to have an address-list to allow specific addresses, as prepared +with a list `allow`. In fact you can use any list name, just change the +default ones or add your own - matching in configuration and firewall rules. + + /ip/firewall/filter/add chain=input src-address-list=allow action=accept; + /ip/firewall/filter/add chain=forward src-address-list=allow action=accept; + /ip/firewall/filter/add chain=forward dst-address-list=allow action=accept; + /ip/firewall/filter/add chain=output dst-address-list=allow action=accept; + +Modify these for your needs, but **most important**: Move the rules up in +chains and make sure they actually take effect as expected! + +Alternatively handle the packets in firewall's raw section if you prefer: + + /ip/firewall/raw/add chain=prerouting src-address-list=block action=drop; + /ip/firewall/raw/add chain=prerouting dst-address-list=block action=drop; + /ip/firewall/raw/add chain=output dst-address-list=block action=drop; + +> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make +> sure they actually take effect as expected! + +--- +[⬅️ Go back to main README](../README.md) +[⬆️ Go back to top](#top) -- cgit v1.2.3-54-g00ecf From 53ad7b717d5e0dc4c9e40a9b24e64d5f933bf14c Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 9 Jun 2023 16:03:36 +0200 Subject: fw-addr-lists: add lists from abuse.ch in config --- doc/fw-addr-lists.md | 3 ++- global-config.rsc | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/fw-addr-lists.md b/doc/fw-addr-lists.md index 98aedcc..4328776 100644 --- a/doc/fw-addr-lists.md +++ b/doc/fw-addr-lists.md @@ -12,7 +12,8 @@ Description This script downloads, imports and updates firewall address-lists. Its main purpose is to block attacking ip addresses, spam hosts, command-and-control servers and similar malicious entities. The default configuration contains -a list from [dshield.org](https://dshield.org/). +lists from [abuse.ch](https://abuse.ch/) and +[dshield.org](https://dshield.org/). The address-lists are updated in place, so after initial import you will not see situation when the lists are not populated. diff --git a/global-config.rsc b/global-config.rsc index 901c7b3..8fe4761 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -89,6 +89,10 @@ "block"={ # { url="https://eworm.de/ros/fw-addr-lists/block"; # cert="R3" }; + { url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt"; + cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" }; + { url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt"; + cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" }; { url="https://www.dshield.org/block.txt"; cidr="/24"; cert="R3" }; }; -- cgit v1.2.3-54-g00ecf From 458fe7c08857afa841feb018ac29780b3e4496a9 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 9 Jun 2023 16:03:45 +0200 Subject: fw-addr-lists: prepare lists from spamhaus.org in config --- doc/fw-addr-lists.md | 3 ++- global-config.rsc | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/fw-addr-lists.md b/doc/fw-addr-lists.md index 4328776..5805905 100644 --- a/doc/fw-addr-lists.md +++ b/doc/fw-addr-lists.md @@ -13,7 +13,8 @@ This script downloads, imports and updates firewall address-lists. Its main purpose is to block attacking ip addresses, spam hosts, command-and-control servers and similar malicious entities. The default configuration contains lists from [abuse.ch](https://abuse.ch/) and -[dshield.org](https://dshield.org/). +[dshield.org](https://dshield.org/), and +lists from [spamhaus.org](https://spamhaus.org/) are prepared. The address-lists are updated in place, so after initial import you will not see situation when the lists are not populated. diff --git a/global-config.rsc b/global-config.rsc index 8fe4761..e82170c 100644 --- a/global-config.rsc +++ b/global-config.rsc @@ -95,6 +95,10 @@ cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" }; { url="https://www.dshield.org/block.txt"; cidr="/24"; cert="R3" }; +# { url="https://www.spamhaus.org/drop/drop.txt"; +# cert="Cloudflare Inc ECC CA-3" }; +# { url="https://www.spamhaus.org/drop/edrop.txt"; +# cert="Cloudflare Inc ECC CA-3" }; }; }; :global FwAddrListTimeOut 1d; -- cgit v1.2.3-54-g00ecf