On Thu, 2020-05-07 at 21:33 +1000, Mike Everest wrote:
My expectation is that the rules will match no traffic at all, because 'connection state' is never blank, unless (perhaps) if connection tracking is disabled - I would need to run some experiments to determine what is the actual case with connection tracking disabled :-} [...] What *is* the result you observed, and what would you expect to see?
These are quite old rules, and RouterOS has been upgraded a couple of times on top of them. I certainly did not create the rules like that. The full set is below and will be immediately recognisable as an ssh repeat offender blacklist. I would have expected to see no blacklisting happening, because no rules would match and the chain would return having had no effect - other than to block addresses that were already in the blacklist. Which would be none after a few weeks as they all timed out). What surprises me greatly is that addresses are being blacklisted exactly as if the rules actually contained 'connection-state="new"'! Here are some samples, the oldest and the newest: 0 D ssh_blacklist 89.189.222.150 1w2d12h46m56s 1 D ssh_blacklist 45.6.240.150 1w4d14h19m12s [...] 1644 D ssh_stage1 79.116.60.233 49s 1645 D ssh_stage1 222.186.30.112 57s Offenders march neatly from stage to stage until they end up on the blacklist. There are no other rules anywhere in the overall ruleset that puts addresses into those lists, so it has to be the rules below that are doing it. What is even more weird is that I have a similar set of rules that test for "established,related" and those rules seem to be working as well, even though they too display as '"connection-state=""'. All these rules look the same when exported, too. I know I shouldn't touch a working system and it's been up for 66 weeks, so a shame to reboot, but I want to upgrade RouterOS (currently it's 6.36 stable), and I plan to put "new" in those rules at the same time. Regards, K. 0 chain=ssh action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log-prefix="" 1 chain=ssh action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=8w4d dst-port=22 log-prefix="" 2 chain=ssh action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log- prefix="" 3 chain=ssh action=add-src-to-address-list connection-state="" protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log- prefix="" 4 chain=ssh action=add-src-to-address-list connection-state="" protocol=tcp address-list=ssh_stage1 address-list-timeout=1> dst-port=22 log-prefix="" 5 chain=ssh action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log-prefix="" 6 chain=ssh action=accept connection-state="" protocol=tcp dst- port=22 log-prefix="" 7 chain=ssh action=return log-prefix="" -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: CF68 0C56 EEE4 CC19 28D4 03B3 BCE0 E800 E31F 7254 Old fingerprint: 887A DA07 4DCC EE76 B413 27D4 C638 4189 6CF0 D556