Skip to content

enhance: add juniper and update mikrotik format bl-mirror #870

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 3, 2025
Merged

enhance: add juniper and update mikrotik format bl-mirror #870

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
122 changes: 105 additions & 17 deletions crowdsec-docs/unversioned/bouncers/blocklist-mirror.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,8 +204,9 @@ List of blocklists to serve. Each blocklist has the following configuration.
Format of the blocklist, the following are supported:

- `plain_text` : One IP per line
- `mikrotik` : Lines for mikrotik, format is `/ip|/ipv6 firewall address-list add list={list_name} address={ip} comment="{scenario} for {duration}"`
- `F5` : Lines for f5 appliances, format is `{ip|range},{netmask},bl,{scenario}`
- `mikrotik` : Generates a mikrotik script
- `F5` : Lines for f5 appliances
- `juniper`: One entry per line using CIDR notation

#### `endpoint`
> string
Expand Down Expand Up @@ -311,27 +312,43 @@ Example:

### mikrotik

If your mikrotik router does not support ipv6, then you can use the global query parameters to only return ipv4 addresses.
Generates a MikroTik Script that the device can execute to populate the specified firewall address list.

Example:
#### MikroTik query parameters

```text
/ip firewall address-list remove [find list=CrowdSec]
/ipv6 firewall address-list remove [find list=CrowdSec]
/ip firewall address-list add list=CrowdSec address=192.168.1.1 comment="crowdsecurity/ssh-bf for 152h40m24.308868973s"
/ip firewall address-list add list=CrowdSec address=192.168.1.2 comment="crowdsecurity/postfix-spam for 166h40m25.280338424s"/ipv6 firewall address-list add list=CrowdSec address=2001:470:1:c84::17 comment="crowdsecurity/ssh-bf for 165h13m42.405449876s"
| Parameter | Description |
|----------------|--------------------------------------------------------------------------|
| `listname=foo` | Set the list name to `foo`. By default, `listname` is set to `CrowdSec`. |

Example output:
```bash
/ip/firewall/address-list/remove [ find where list="foo" ];
:global CrowdSecAddIP;
:set CrowdSecAddIP do={
:do { /ip/firewall/address-list/add list=foo address=$1 comment="$2" timeout=$3; } on-error={ }
}
$CrowdSecAddIP 1.2.3.4 "ssh-bf" 152h40m24s
$CrowdSecAddIP 4.3.2.1 "postfix-spam" 166h40m25s
$CrowdSecAddIP 2001:470:1:c84::17 "ssh-bf" 165h13m42s
```

#### mikrotik query parameters
#### Example: MikroTik import script

`?listname=foo` - Set the list name to `foo`, by default `listname` is set to `CrowdSec`
Using on device [MikroTik scripting](https://help.mikrotik.com/docs/display/ROS/Scripting) following is a starting point to download and import the blocklist. Ensure to adjust the [global query parameters](#global-runtime-query-parameters) according to your needs!

example output:
```text
/ip firewall address-list remove [find list=foo]
/ipv6 firewall address-list remove [find list=foo]
/ip firewall address-list add list=foo address=192.168.1.1 comment="crowdsecurity/ssh-bf for 152h40m24.308868973s"
/ip firewall address-list add list=foo address=192.168.1.2 comment="crowdsecurity/postfix-spam for 166h40m25.280338424s"/ipv6 firewall address-list add list=foo address=2001:470:1:c84::17 comment="crowdsecurity/ssh-bf for 165h13m42.405449876s"
```bash
:local name "[crowdsec]"
:local url "http://<IP>:41412/security/blocklist?ipv4only&nosort"
:local fileName "blocklist.rsc"
:log info "$name fetch blocklist from $url"
/tool fetch url="$url" mode=http dst-path=$fileName
:if ([:len [/file find name=$fileName]] > 0) do={
:log info "$name import;start"
/import file-name=$fileName
:log info "$name import:done"
} else={
:log error "$name failed to fetch the blocklist"
}
```

### F5
Expand All @@ -342,3 +359,74 @@ Example:
192.168.1.1,32,bl,ssh-slow-bf
192.168.1.2,32,bl,ssh-slow-bf
```

### Juniper

Generates a .txt file with all IP addresses (single host and subnets) in the CIDR notation format supported by the Juniper Networks SRX firewall platform.

Example:
```text
1.2.3.4/32
4.3.2.1/32
```

#### SRX Dynamic Address configuration sample

Using the blocklist on a Juniper SRX requires that the published url ends in .txt. This can be acieved by altering the endpoint config in `cfg.yaml` as follows:

Sample `cfg.yaml`
```yaml
####
blocklists:
- format: juniper # Supported formats are either of "plain_text", "mikrotik", "juniper"
endpoint: /security/blocklist.txt #Must have .txt for juniper formatter.
authentication:
type: none # Supported types are either of "none", "ip_based", "basic"
user:
password:
trusted_ips: # IP ranges, or IPs which don't require auth to access this blocklist
- 127.0.0.1
- ::1
####
```

This can then be configured on the SRX firewall as follows:

Sample SRX config:
```test
user@srx> show configuration security dynamic-address | display set

set security dynamic-address feed-server crowdsec url http://192.168.1.2:41412
set security dynamic-address feed-server crowdsec update-interval 30
set security dynamic-address feed-server crowdsec feed-name crowdsec path /security/blocklist.txt
set security dynamic-address address-name crowdsec-blocklist profile feed-name crowdsec
```

[Further information here](https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html)

A successful configuration should return a similar result when queried:

```text
user@srx> show security dynamic-address summary


Dynamic-address session scan status : Disable
Hold-interval for dynamic-address session scan : 10 seconds


Server Name : crowdsec
Hostname/IP : http://192.168.1.2:41412
Update interval : 30
Hold interval : 86400
TLS Profile Name : ---
User Name : ---


Feed Name : crowdsec
Mapped dynamic address name : crowdsec-blocklist
URL : http://192.168.1.2:41412/security/blocklist.txt
Feed update interval : 30 Feed hold interval :86400
Total update : 16310
Total IPv4 entries : 16240
Total IPv6 entries : 0
```