ℹ️ Info: This script can not be used on its own but requires the base installation. See main README for details.
This script downloads, imports and updates firewall address-lists. Its main purpose is to block attacking ip addresses, spam hosts, command-and-control servers and similar malicious entities. The default configuration contains lists from abuse.ch, dshield.org and blocklist.de, and lists from spamhaus.org are prepared.
The address-lists are updated in place, so after initial import you will not see situation when the lists are not populated.
To mitigate man-in-the-middle attacks with altered lists the server's certificate is checked.
⚠️ Warning: The script does not limit the size of a list, but keep in mind that huge lists can exhaust your device's resources (RAM and CPU), and may take a long time to process.
Just install the script:
$ScriptInstallUpdate fw-addr-lists;
And add two schedulers, first one for initial import after startup, second one for subsequent updates:
/system/scheduler/add name="fw-addr-lists@startup" start-time=startup on-event="/system/script/run fw-addr-lists;";
/system/scheduler/add name="fw-addr-lists" start-time=startup interval=2h on-event="/system/script/run fw-addr-lists;";
ℹ️ Info: Modify the interval to your needs, but it is recommended to use less than half of the configured timeout for expiration.
The configuration goes to global-config-overlay
, these are the parameters:
FwAddrLists
: a list of firewall address-lists to download and importFwAddrListTimeOut
: the timeout for expiration without renew
ℹ️ Info: Copy relevant configuration from
global-config
(the one without-overlay
) to your localglobal-config-overlay
and modify it to your specific needs.
Naming a certificate for a list makes the script verify the server
certificate, so you should add that if possible. Some certificates are
available in my repository and downloaded automatically. Import it manually
(menu /certificate/
) if missing.
Create firewall rules to process the packets that are related to addresses from address-lists.
This rejects the packets from and to IPv4 addresses listed in
address-list block
.
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
You may want to have an address-list to allow specific addresses, as prepared
with a list allow
. In fact you can use any list name, just change the
default ones or add your own - matching in configuration and firewall rules.
/ip/firewall/filter/add chain=input src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ip/firewall/filter/add chain=output dst-address-list=allow action=accept;
Modify these for your needs, but most important: Move the rules up in chains and make sure they actually take effect as expected!
Alternatively handle the packets in firewall's raw section if you prefer:
/ip/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ip/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ip/firewall/raw/add chain=output dst-address-list=block action=drop;
⚠️ Warning: Just again... The order of firewall rules is important. Make sure they actually take effect as expected!
These are the same rules, but for IPv6.
Reject packets in address-list block
:
/ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
Allow packets in address-list allow
:
/ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
Drop packets in firewall's raw section:
/ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
⚠️ Warning: Just again... The order of firewall rules is important. Make sure they actually take effect as expected!