Running your own mail server at home is great, but you quickly notice that spammers bombard you immediately. Port scanners and other script kiddies are annoying too!
The blacklists from squidblacklist.org come to the rescue — they let you populate the MikroTik router’s firewall address lists very easily.
Some lists, including the Malicious host ip address list (combined profile) used here, are available for free!
This blacklist is certainly not comprehensive (only about 32,000 entries), but it is a good start!
For me it has definitely been worth it!
A rough guide can be found here https://blog.squidblacklist.org/?p=1407, but I made some changes:
1. Fetching the current list via Scheduler
First, create a scheduler entry that fetches the current list every 30 minutes:
/system scheduler
add interval=30m name=squidblacklist-org on-event="/tool fetch url=\"http://www.squidblacklist.org/downloads/drop.malicious.rsc\" \
mode=http dst-path=/disk1/drop.malicious.rsc; \
delay 2; import /disk1/drop.malicious.rsc;" \
policy=read,write,policy,test start-date=jan/01/1970 start-time=00:02:00
/disk1/ should be removed or adjusted if you don’t have a MicroSD/USB stick/SSD in the router. But you should, because otherwise you write into the scarce RAM or — worse — the flash storage!
/disk print
If no disk1 appears here, remove it from the scheduler! Then it downloads the blocklist into RAM (~4MB). The firewall rules also reside in RAM after import and take up ~40MB. Tested with a hEX S!
In the current router overview you can see the maximum available RAM right away. With only 64MB, e.g. hEX lite, this will not work since 64MB is not fully free and it has neither MicroSD nor USB…
/system resource print
shows free-memory (on my HEX S with loaded blocklist currently 183.6MiB) and total-memory (256.0 MiB). Plenty!
2. Add the following 3 RAW rules to the firewall
/ip firewall raw
add action=drop chain=prerouting comment="sbl dshield SRC" src-address-list="sbl dshield"
add action=drop chain=prerouting comment="sbl spamhaus SRC" src-address-list="sbl spamhaus"
add action=drop chain=prerouting comment="sbl blocklist.de SRC" src-address-list="sbl blocklist.de"
3. Add 3 more RAW rules to the firewall
The guide at https://blog.squidblacklist.org/?p=1407 uses dst-address-list= instead of my src-address-list=.
That seemed odd to me too, since we want to keep attackers coming from bad source addresses out! This is also discussed in the comments of that guide. If you want to be on the safe side, extend your RAW firewall with corresponding dst-address-list= rules to also filter outbound traffic:
/ip firewall raw
add action=drop chain=prerouting comment="sbl dshield DST" dst-address-list="sbl dshield"
add action=drop chain=prerouting comment="sbl spamhaus DST" dst-address-list="sbl spamhaus"
add action=drop chain=prerouting comment="sbl blocklist.de DST" dst-address-list="sbl blocklist.de"
Why use the RAW firewall? Read here!
tl;dr: Saves CPU!