Manual:IP/Firewall/Address list: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
mNo edit summary
m fix links
Line 11: Line 11:


<p>
<p>
The address list records could be updated dynamically via the <code>action=add-src-to-address-list</code> or <code>action=add-dst-to-address-list</code> items found in [[Firewall/NAT | NAT]], [[Firewall/Mangle | mangle]] and [[Firewall_filter | filter]] facilities.
The address list records could be updated dynamically via the <code>action=add-src-to-address-list</code> or <code>action=add-dst-to-address-list</code> items found in [[M:IP/Firewall/NAT | NAT]], [[M:IP/Firewall/Mangle | mangle]] and [[M:IP/Firewall/Filter | filter]] facilities.
</p>
</p>



Revision as of 08:38, 27 April 2010

Applies to RouterOS: 2.9, v3, v4

Summary

Sub-menu: /ip firewall address-list

Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.

The address list records could be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT, mangle and filter facilities.


Properties

Property Description
address (IP address/netmask | IP-IP; Default: ) IP address or range to add to address list
list (string; Default: ) Name of the address list where to add IP address

Example

The following example creates an address list of people thet are connecting to port 23 (telnet) on the router and drops all further traffic from them. Additionaly, the address list will contain one static entry of address=192.0.34.166/32 (www.example.com):

[admin@MikroTik] > /ip firewall address-list add list=drop_traffic address=192.0.34.166/32
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
 #   LIST         ADDRESS
 0   drop_traffic 192.0.34.166
[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 \
\... action=add-src-to-address-list address-list=drop_traffic
[admin@MikroTik] > /ip firewall filter add action=drop chain=input src-address-list=drop_traffic
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
 #   LIST         ADDRESS
 0   drop_traffic 192.0.34.166
 1 D drop_traffic 1.1.1.1
 2 D drop_traffic 10.5.11.8
[admin@MikroTik] >

As seen in the output of the last print command, two new dynamic entries appeared in the address list. Hosts with these IP addresses tried to initialize a telnet session to the router.