mirror.MikroTik/eworm.routeros-scripts
1
0
Fork 0
mirror of https://git.eworm.de/cgit/routeros-scripts synced 2025-08-03 01:34:32 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'fw-addr-lists' into next

Browse source
This commit is contained in:
Christian Hesse 2023-06-13 20:28:25 +02:00
commit 3358dcb0e7
8 changed files with 555 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -208,6 +208,7 @@ Available scripts
* [Comment DHCP leases with info from access list](doc/dhcp-lease-comment.md)
* [Create DNS records for DHCP leases](doc/dhcp-to-dns.md)
* [Automatically upgrade firmware and reboot](doc/firmware-upgrade-reboot.md)
* [Download, import and update firewall address-lists](doc/fw-addr-lists.md)
* [Wait for global functions und modules](doc/global-wait.md)
* [Send GPS position to server](doc/gps-track.md)
* [Use WPA2 network with hotspot credentials](doc/hotspot-to-wpa.md)

163
certs/Cloudflare Inc ECC CA-3.pem Normal file
View file

@ -0,0 +1,163 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:37:87:64:5e:5f:b4:8c:22:4e:fd:1b:ed:14:0c:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
Validity
Not Before: Jan 27 12:48:08 2020 GMT
Not After : Dec 31 23:59:59 2024 GMT
Subject: C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b9:ad:4d:66:99:14:0b:46:ec:1f:81:d1:2a:50:
1e:9d:03:15:2f:34:12:7d:2d:96:b8:88:38:9b:85:
5f:8f:bf:bb:4d:ef:61:46:c4:c9:73:d4:24:4f:e0:
ee:1c:ce:6c:b3:51:71:2f:6a:ee:4c:05:09:77:d3:
72:62:a4:9b:d7
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
A5:CE:37:EA:EB:B0:75:0E:94:67:88:B4:45:FA:D9:24:10:87:96:1F
X509v3 Authority Key Identifier:
E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/Omniroot2025.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Policy: 2.16.840.1.114412.1.2
Policy: 2.23.140.1.2.1
Policy: 2.23.140.1.2.2
Policy: 2.23.140.1.2.3
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
05:24:1d:dd:1b:b0:2a:eb:98:d6:85:e3:39:4d:5e:6b:57:9d:
82:57:fc:eb:e8:31:a2:57:90:65:05:be:16:44:38:5a:77:02:
b9:cf:10:42:c6:e1:92:a4:e3:45:27:f8:00:47:2c:68:a8:56:
99:53:54:8f:ad:9e:40:c1:d0:0f:b6:d7:0d:0b:38:48:6c:50:
2c:49:90:06:5b:64:1d:8b:cc:48:30:2e:de:08:e2:9b:49:22:
c0:92:0c:11:5e:96:92:94:d5:fc:20:dc:56:6c:e5:92:93:bf:
7a:1c:c0:37:e3:85:49:15:fa:2b:e1:74:39:18:0f:b7:da:f3:
a2:57:58:60:4f:cc:8e:94:00:fc:46:7b:34:31:3e:4d:47:82:
81:3a:cb:f4:89:5d:0e:ef:4d:0d:6e:9c:1b:82:24:dd:32:25:
5d:11:78:51:10:3d:a0:35:23:04:2f:65:6f:9c:c1:d1:43:d7:
d0:1e:f3:31:67:59:27:dd:6b:d2:75:09:93:11:24:24:14:cf:
29:be:e6:23:c3:b8:8f:72:3f:e9:07:c8:24:44:53:7a:b3:b9:
61:65:a1:4c:0e:c6:48:00:c9:75:63:05:87:70:45:52:83:d3:
95:9d:45:ea:f0:e8:31:1d:7e:09:1f:0a:fe:3e:dd:aa:3c:5e:
74:d2:ac:b1
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIQCjeHZF5ftIwiTv0b7RQMPDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJl
clRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTIw
MDEyNzEyNDgwOFoXDTI0MTIzMTIzNTk1OVowSjELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkZmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkZmxhcmUgSW5jIEVD
QyBDQS0zMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEua1NZpkUC0bsH4HRKlAe
nQMVLzQSfS2WuIg4m4Vfj7+7Te9hRsTJc9QkT+DuHM5ss1FxL2ruTAUJd9NyYqSb
16OCAWgwggFkMB0GA1UdDgQWBBSlzjfq67B1DpRniLRF+tkkEIeWHzAfBgNVHSME
GDAWgBTlnVkwgkdYzKz6CFQ2hns6tQRN8DAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYI
KwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
b20wOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL09t
bmlyb290MjAyNS5jcmwwbQYDVR0gBGYwZDA3BglghkgBhv1sAQEwKjAoBggrBgEF
BQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzALBglghkgBhv1sAQIw
CAYGZ4EMAQIBMAgGBmeBDAECAjAIBgZngQwBAgMwDQYJKoZIhvcNAQELBQADggEB
AAUkHd0bsCrrmNaF4zlNXmtXnYJX/OvoMaJXkGUFvhZEOFp3ArnPEELG4ZKk40Un
+ABHLGioVplTVI+tnkDB0A+21w0LOEhsUCxJkAZbZB2LzEgwLt4I4ptJIsCSDBFe
lpKU1fwg3FZs5ZKTv3ocwDfjhUkV+ivhdDkYD7fa86JXWGBPzI6UAPxGezQxPk1H
goE6y/SJXQ7vTQ1unBuCJN0yJV0ReFEQPaA1IwQvZW+cwdFD19Ae8zFnWSfda9J1
CZMRJCQUzym+5iPDuI9yP+kHyCREU3qzuWFloUwOxkgAyXVjBYdwRVKD05WdRerw
6DEdfgkfCv4+3ao8XnTSrLE=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79:
d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a:
64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2:
62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01:
52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7:
73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6:
50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c:
a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70:
70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77:
d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae:
5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18:
98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85:
ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9:
39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5:
c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a:
ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0:
78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27:
1a:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:3
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03:
bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f:
76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a:
12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f:
ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01:
74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8:
05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9:
31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d:
9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b:
1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88:
73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee:
7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e:
9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0:
fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42:
ea:63:39:a9
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----

177
certs/GlobalSign Atlas R3 DV TLS CA 2022 Q3.pem Normal file
View file

@ -0,0 +1,177 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:2a:0c:21:3f:c6:55:53:45:c9:1f:19:1f:b8:4e:fa
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
Validity
Not Before: Apr 20 12:00:00 2022 GMT
Not After : Apr 20 00:00:00 2025 GMT
Subject: C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2022 Q3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:a8:7a:66:3c:4e:66:9c:ce:37:a5:54:35:4d:
36:c7:99:d3:a8:27:36:f2:2f:c6:d5:18:3e:e9:09:
dd:05:d6:d7:2c:34:32:7c:08:63:49:d1:10:37:e5:
78:5d:11:62:ce:6d:fb:2f:3f:37:94:db:8f:7b:30:
e9:5e:2c:d9:55:3f:b2:db:b9:a0:b5:60:37:8b:a4:
06:32:35:50:a4:09:af:0a:45:ff:a8:1f:9b:65:8e:
dd:4a:e0:40:a1:e3:63:37:58:90:dd:75:3b:fc:0e:
1c:82:40:98:bd:70:b1:c1:48:14:14:3c:04:4b:69:
dd:d4:9c:01:a6:e9:21:e3:82:0a:fe:e4:aa:bf:34:
a0:8c:cb:c9:79:6e:3e:5c:6a:52:9e:c4:ed:2b:c5:
69:fe:50:3c:93:9d:b5:ff:2d:28:a8:6c:06:6c:9d:
c5:af:b2:59:fb:59:77:0d:74:7a:88:84:a4:d4:1d:
d4:ba:20:06:cc:b5:1e:48:4e:74:21:15:86:75:c0:
cc:5a:d1:05:cf:57:16:7a:13:17:ec:c2:4a:ae:d5:
1e:72:aa:22:5a:8c:9c:82:32:c4:10:e6:42:6e:21:
86:68:7c:80:23:30:35:d3:bd:b0:5e:0a:29:2b:f0:
14:b1:18:37:d9:59:25:c3:e7:38:d9:e9:d4:2d:36:
35:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
FA:91:39:63:9A:FB:AD:10:24:E5:BE:B5:B9:DA:AB:D9:C4:46:69:AB
X509v3 Authority Key Identifier:
8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
Authority Information Access:
OCSP - URI:http://ocsp2.globalsign.com/rootr3
CA Issuers - URI:http://secure.globalsign.com/cacert/root-r3.crt
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.globalsign.com/root-r3.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.4146.10.1.3
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
14:33:2c:79:e5:3f:82:c6:70:3f:da:59:38:a7:bb:a2:76:ac:
61:18:05:68:57:d9:0d:fb:8a:46:bc:f1:a8:e8:0c:70:02:1d:
c6:2f:97:ed:36:3e:9e:52:86:2f:5c:62:d8:d5:47:43:9a:73:
d1:2b:25:87:9f:44:b4:14:eb:26:bc:21:47:74:20:bd:9f:a4:
bf:b3:80:1d:4d:35:7d:cd:b9:b5:da:55:f2:90:50:c8:b2:17:
4e:0e:b4:61:88:29:5f:44:5d:03:7f:57:91:81:d0:eb:30:ae:
d5:2a:ec:82:20:ce:4e:d2:b0:8b:95:02:61:73:d8:69:34:f4:
ad:63:0e:5c:e4:20:1f:a9:7d:ed:8e:e5:1c:04:bb:22:9f:c7:
a9:22:ca:99:3d:02:a7:67:e8:06:2d:fa:04:6b:bb:49:d2:6c:
99:57:63:6c:2d:c2:61:78:e1:20:b1:fb:f6:bf:e1:82:39:39:
3c:7b:ef:7d:1a:95:4a:b2:72:da:55:90:ae:ed:dd:e2:70:90:
7c:1a:ee:b5:32:5a:5d:cf:d6:fa:45:f2:9e:01:0c:31:2f:89:
84:fe:31:60:0f:fd:ee:a6:5b:84:d5:c7:18:e6:a4:f9:40:30:
29:18:1e:fe:fc:41:b5:b9:29:05:75:8b:62:1a:5b:22:2e:bf:
e4:59:6c:b0
-----BEGIN CERTIFICATE-----
MIIEjzCCA3egAwIBAgIQfCoMIT/GVVNFyR8ZH7hO+jANBgkqhkiG9w0BAQsFADBM
MSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xv
YmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0yMjA0MjAxMjAwMDBaFw0y
NTA0MjAwMDAwMDBaMFgxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWdu
IG52LXNhMS4wLAYDVQQDEyVHbG9iYWxTaWduIEF0bGFzIFIzIERWIFRMUyBDQSAy
MDIyIFEzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuKh6ZjxOZpzO
N6VUNU02x5nTqCc28i/G1Rg+6QndBdbXLDQyfAhjSdEQN+V4XRFizm37Lz83lNuP
ezDpXizZVT+y27mgtWA3i6QGMjVQpAmvCkX/qB+bZY7dSuBAoeNjN1iQ3XU7/A4c
gkCYvXCxwUgUFDwES2nd1JwBpukh44IK/uSqvzSgjMvJeW4+XGpSnsTtK8Vp/lA8
k521/y0oqGwGbJ3Fr7JZ+1l3DXR6iISk1B3UuiAGzLUeSE50IRWGdcDMWtEFz1cW
ehMX7MJKrtUecqoiWoycgjLEEOZCbiGGaHyAIzA1072wXgopK/AUsRg32Vklw+c4
2enULTY1ZQIDAQABo4IBXzCCAVswDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQW
BBT6kTljmvutECTlvrW52qvZxEZpqzAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpj
move4t0bvDB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3Nw
Mi5nbG9iYWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1
cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0w
K6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yMy5jcmwwIQYD
VR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAGgMgoBAzANBgkqhkiG9w0BAQsFAAOC
AQEAFDMseeU/gsZwP9pZOKe7onasYRgFaFfZDfuKRrzxqOgMcAIdxi+X7TY+nlKG
L1xi2NVHQ5pz0Sslh59EtBTrJrwhR3QgvZ+kv7OAHU01fc25tdpV8pBQyLIXTg60
YYgpX0RdA39XkYHQ6zCu1SrsgiDOTtKwi5UCYXPYaTT0rWMOXOQgH6l97Y7lHAS7
Ip/HqSLKmT0Cp2foBi36BGu7SdJsmVdjbC3CYXjhILH79r/hgjk5PHvvfRqVSrJy
2lWQru3d4nCQfBrutTJaXc/W+kXyngEMMS+JhP4xYA/97qZbhNXHGOak+UAwKRge
/vxBtbkpBXWLYhpbIi6/5FlssA==
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:00:00:00:00:01:21:58:53:08:a2
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
Validity
Not Before: Mar 18 10:00:00 2009 GMT
Not After : Mar 18 10:00:00 2029 GMT
Subject: OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:25:76:90:79:06:78:22:16:f5:c0:83:b6:84:
ca:28:9e:fd:05:76:11:c5:ad:88:72:fc:46:02:43:
c7:b2:8a:9d:04:5f:24:cb:2e:4b:e1:60:82:46:e1:
52:ab:0c:81:47:70:6c:dd:64:d1:eb:f5:2c:a3:0f:
82:3d:0c:2b:ae:97:d7:b6:14:86:10:79:bb:3b:13:
80:77:8c:08:e1:49:d2:6a:62:2f:1f:5e:fa:96:68:
df:89:27:95:38:9f:06:d7:3e:c9:cb:26:59:0d:73:
de:b0:c8:e9:26:0e:83:15:c6:ef:5b:8b:d2:04:60:
ca:49:a6:28:f6:69:3b:f6:cb:c8:28:91:e5:9d:8a:
61:57:37:ac:74:14:dc:74:e0:3a:ee:72:2f:2e:9c:
fb:d0:bb:bf:f5:3d:00:e1:06:33:e8:82:2b:ae:53:
a6:3a:16:73:8c:dd:41:0e:20:3a:c0:b4:a7:a1:e9:
b2:4f:90:2e:32:60:e9:57:cb:b9:04:92:68:68:e5:
38:26:60:75:b2:9f:77:ff:91:14:ef:ae:20:49:fc:
ad:40:15:48:d1:02:31:61:19:5e:b8:97:ef:ad:77:
b7:64:9a:7a:bf:5f:c1:13:ef:9b:62:fb:0d:6c:e0:
54:69:16:a9:03:da:6e:e9:83:93:71:76:c6:69:85:
82:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
8F:F0:4B:7F:A8:2E:45:24:AE:4D:50:FA:63:9A:8B:DE:E2:DD:1B:BC
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4b:40:db:c0:50:aa:fe:c8:0c:ef:f7:96:54:45:49:bb:96:00:
09:41:ac:b3:13:86:86:28:07:33:ca:6b:e6:74:b9:ba:00:2d:
ae:a4:0a:d3:f5:f1:f1:0f:8a:bf:73:67:4a:83:c7:44:7b:78:
e0:af:6e:6c:6f:03:29:8e:33:39:45:c3:8e:e4:b9:57:6c:aa:
fc:12:96:ec:53:c6:2d:e4:24:6c:b9:94:63:fb:dc:53:68:67:
56:3e:83:b8:cf:35:21:c3:c9:68:fe:ce:da:c2:53:aa:cc:90:
8a:e9:f0:5d:46:8c:95:dd:7a:58:28:1a:2f:1d:de:cd:00:37:
41:8f:ed:44:6d:d7:53:28:97:7e:f3:67:04:1e:15:d7:8a:96:
b4:d3:de:4c:27:a4:4c:1b:73:73:76:f4:17:99:c2:1f:7a:0e:
e3:2d:08:ad:0a:1c:2c:ff:3c:ab:55:0e:0f:91:7e:36:eb:c3:
57:49:be:e1:2e:2d:7c:60:8b:c3:41:51:13:23:9d:ce:f7:32:
6b:94:01:a8:99:e7:2c:33:1f:3a:3b:25:d2:86:40:ce:3b:2c:
86:78:c9:61:2f:14:ba:ee:db:55:6f:df:84:ee:05:09:4d:bd:
28:d8:72:ce:d3:62:50:65:1e:eb:92:97:83:31:d9:b3:b5:ca:
47:58:3f:5f
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
WD9f
-----END CERTIFICATE-----

90
doc/fw-addr-lists.md Normal file
View file

@ -0,0 +1,90 @@
Download, import and update firewall address-lists
==================================================
[⬅️ Go back to main README](../README.md)
> **Info**: This script can not be used on its own but requires the base
> installation. See [main README](../README.md) for details.
Description
-----------
This script downloads, imports and updates firewall address-lists. Its main
purpose is to block attacking ip addresses, spam hosts, command-and-control
servers and similar malicious entities. The default configuration contains
lists from [abuse.ch](https://abuse.ch/) and
[dshield.org](https://dshield.org/), and
lists from [spamhaus.org](https://spamhaus.org/) are prepared.
The address-lists are updated in place, so after initial import you will not
see situation when the lists are not populated.
To mitigate man-in-the-middle attacks with altered lists the server's
certificate is checked.
Requirements and installation
-----------------------------
Just install the script:
$ScriptInstallUpdate fw-addr-lists;
And add two schedulers, first one for initial import after startup, second
one for subsequent updates:
/system/scheduler/add name="fw-addr-lists@startup" start-time=startup on-event="/system/script/run fw-addr-lists;";
/system/scheduler/add name="fw-addr-lists" start-time=startup interval=2h on-event="/system/script/run fw-addr-lists;";
> **Info**: Modify the interval to your needs, but it is recommended to
> use less than half of the configured timeout for expiration.
Configuration
-------------
The configuration goes to `global-config-overlay`, these are the parameters:
* `FwAddrLists`: a list of firewall address-lists to download and import
* `FwAddrListTimeOut`: the timeout for expiration without renew
> **Info**: Copy relevant configuration from
> [`global-config`](../global-config.rsc) (the one without `-overlay`) to
> your local `global-config-overlay` and modify it to your specific needs.
Naming a certificate for a list makes the script verify the server
certificate, so you should add that if possible. Some certificates are
available in my repository and downloaded automatically. Import it manually
(menu `/certificate/`) if missing.
Create firewall rules to process the packets that are related to addresses
from address-lists. This rejects the packets from and to ip addresses listed
in address-list `block`.
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
You may want to have an address-list to allow specific addresses, as prepared
with a list `allow`. In fact you can use any list name, just change the
default ones or add your own - matching in configuration and firewall rules.
/ip/firewall/filter/add chain=input src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward src-address-list=allow action=accept;
/ip/firewall/filter/add chain=forward dst-address-list=allow action=accept;
/ip/firewall/filter/add chain=output dst-address-list=allow action=accept;
Modify these for your needs, but **most important**: Move the rules up in
chains and make sure they actually take effect as expected!
Alternatively handle the packets in firewall's raw section if you prefer:
/ip/firewall/raw/add chain=prerouting src-address-list=block action=drop;
/ip/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
/ip/firewall/raw/add chain=output dst-address-list=block action=drop;
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
---
[⬅️ Go back to main README](../README.md)
[⬆️ Go back to top](#top)

99
fw-addr-lists.rsc Normal file
View file

@ -0,0 +1,99 @@
#!rsc by RouterOS
# RouterOS script: fw-addr-lists
# Copyright (c) 2023 Christian Hesse <mail@eworm.de>
# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md
#
# download, import and update firewall address-lists
# https://git.eworm.de/cgit/routeros-scripts/about/doc/fw-addr-lists.md
:local 0 "fw-addr-lists";
:global GlobalFunctionsReady;
:while ($GlobalFunctionsReady != true) do={ :delay 500ms; }
:global FwAddrLists;
:global FwAddrListTimeOut;
:global CertificateAvailable;
:global LogPrintExit2;
:global ScriptLock;
:global WaitFullyConnected;
:local FindDelim do={
:local ValidChars "0123456789./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-";
:for I from=0 to=[ :len $1 ] do={
:if ([ :typeof [ :find $ValidChars [ :pick ($1 . " ") $I ] ] ] != "num") do={
:return $I;
}
}
}
$ScriptLock $0;
$WaitFullyConnected;
:local ListComment ("managed by " . $0);
:foreach FwListName,FwList in=$FwAddrLists do={
:local Addresses ({});
:local CntAdd 0;
:local CntRenew 0;
:local CntRemove 0;
:local Failure false;
:foreach List in=$FwList do={
:local Data;
:local CheckCertificate "no";
:if ([ :len ($List->"cert") ] > 0) do={
:set CheckCertificate "yes-without-crl";
:if ([ $CertificateAvailable ($List->"cert") ] = false) do={
$LogPrintExit2 warning $0 ("Downloading required certificate failed, trying anyway.") false;
}
}
:do {
:set Data ([ /tool/fetch ($List->"url") check-certificate=$CheckCertificate output=user as-value ]->"data");
} on-error={
:set Failure true;
$LogPrintExit2 warning $0 ("Failed downloading list from: " . $List->"url") false;
}
:while ([ :len $Data ] != 0) do={
:local Line [ :pick $Data 0 [ :find $Data "\n" ] ];
:local Address ([ :pick $Line 0 [ $FindDelim $Line ] ] . ($List->"cidr"));
:if ($Address ~ "^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}(/[0-9]{1,2})?\$" || \
$Address ~ "^[\\.a-zA-Z0-9-]+\\.[a-zA-Z]{2,}\$") do={
:set ($Addresses->$Address) 1;
}
:set Data [ :pick $Data ([ :len $Line ] + 1) [ :len $Data ] ];
}
}
:foreach Entry in=[ /ip/firewall/address-list/find where list=$FwListName comment=$ListComment ] do={
:local Address [ /ip/firewall/address-list/get $Entry address ];
:if (($Addresses->$Address) = 1) do={
$LogPrintExit2 debug $0 ("Renewing: " . $Address) false;
/ip/firewall/address-list/set $Entry timeout=$FwAddrListTimeOut;
:set ($Addresses->$Address);
:set CntRenew ($CntRenew + 1);
} else={
:if ($Failure = false) do={
$LogPrintExit2 debug $0 ("Removing: " . $Address) false;
/ip/firewall/address-list/remove $Entry;
:set CntRemove ($CntRemove + 1);
}
}
}
:foreach Address,Ignore in=$Addresses do={
$LogPrintExit2 debug $0 ("Adding: " . $Address) false;
:do {
/ip/firewall/address-list/add list=$FwListName comment=$ListComment address=$Address timeout=$FwAddrListTimeOut;
:set ($Addresses->$Address);
:set CntAdd ($CntAdd + 1);
} on-error={
$LogPrintExit2 warning $0 ("Failed to add address " . $Address . " to list '" . $FwListName . "'.") false;
}
}
$LogPrintExit2 info $0 ("List: " . $FwListName . " -- Added: " . $CntAdd . " - renewed: " . $CntRenew . " - removed: " . $CntRemove) false;
}

23
global-config.rsc
View file

@ -80,6 +80,29 @@
:global BackupUploadUser "mikrotik";
:global BackupUploadPass "v3ry-s3cr3t";
# This defines the settings for firewall address-lists (fw-addr-lists).
:global FwAddrLists {
# "allow"={
# { url="https://eworm.de/ros/fw-addr-lists/allow";
# cert="R3" };
# };
"block"={
# { url="https://eworm.de/ros/fw-addr-lists/block";
# cert="R3" };
{ url="https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt";
cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
{ url="https://sslbl.abuse.ch/blacklist/sslipblacklist.txt";
cert="GlobalSign Atlas R3 DV TLS CA 2022 Q3" };
{ url="https://www.dshield.org/block.txt"; cidr="/24";
cert="R3" };
# { url="https://www.spamhaus.org/drop/drop.txt";
# cert="Cloudflare Inc ECC CA-3" };
# { url="https://www.spamhaus.org/drop/edrop.txt";
# cert="Cloudflare Inc ECC CA-3" };
};
};
:global FwAddrListTimeOut 1d;
# This defines what log messages to filter or include by topic or message
# text. Regular expressions are supported. Do *NOT* set an empty string,
# that will filter or include everything!

2
global-functions.rsc
View file

@ -12,7 +12,7 @@
:local 0 "global-functions";
# expected configuration version
:global ExpectedConfigVersion 100;
:global ExpectedConfigVersion 101;
# global variables not to be changed by user
:global GlobalFunctionsReady false;

1
news-and-changes.rsc
View file

@ -14,6 +14,7 @@
98="Extended 'check-certificates' to download new certificate by SubjectAltNames if download by CommonName fails.";
99="Modified 'dhcp-to-dns', which dropped global configuration. Settings moved to dhcp server's network definitions.";
100="The script 'ssh-keys-import' became a module 'mod/ssh-keys-import' with enhanced functionality.";
101="Introduced new script 'fw-addr-lists' to download, import and update firewall address-lists.";
};
# Migration steps to be applied on script updates