Skip to content
cs-routeros-bouncer cs-routeros-bouncer

Firewall Rules

How the bouncer creates and manages firewall rules.

Rule types

Section titled “Rule types”

The bouncer can create rules in three locations:

TypeRouterOS pathPurpose
Filter input/ip/firewall/filterBlock incoming traffic (after connection tracking)
Raw prerouting/ip/firewall/rawBlock incoming traffic (before connection tracking — lower CPU)
Filter output/ip/firewall/filter (output chain)Block outgoing traffic to banned IPs

Each type has an IPv6 equivalent (e.g., /ipv6/firewall/filter).

Rule creation flow

Section titled “Rule creation flow”

On startup, the bouncer follows this sequence:

  1. Check for existing rules

    Scans for bouncer-managed rules by matching the comment pattern.

  2. Clean state

    Removes any existing rules to ensure a fresh start.

  3. Create new rules

    Creates rules according to the current configuration.

  4. Place at configured position

    Inserts rules at top (position 0) or bottom of each chain.

Rule structure

Section titled “Rule structure”

Each rule has:

  • Chain: input, forward, prerouting, or output
  • Action: drop or reject (with optional reject-with)
  • Source/destination address list: References the banned IP list
  • Interface: Optional input/output interface restriction
  • Connection state: Optional connection-state matcher (filter only)
  • Log settings: Optional logging with configurable prefix
  • Comment: Structured identifier for management

Example rule as seen in RouterOS:

/ip/firewall/filter print where comment~"crowdsec-bouncer"
# chain=input action=drop src-address-list=crowdsec-banned
#   in-interface=ether1 log=no
#   comment="crowdsec-bouncer:filter-input-input-v4 @cs-routeros-bouncer"

Rule placement

Section titled “Rule placement”

With rule_placement: "top", the bouncer places rules at position 0 for maximum priority. If a dynamic/built-in rule occupies position 0, the bouncer iterates through positions until finding a valid placement.

# Rules appear at the top of the firewall:
/ip/firewall/filter print
# 0  chain=input action=drop src-address-list=crowdsec-banned ...
# 1  chain=forward action=drop src-address-list=crowdsec-banned ...
# 2  ... (your other rules)

Rule identification

Section titled “Rule identification”

Rules are identified by a structured comment:

{prefix}:{type}-{chain}-{direction}-{protocol} @cs-routeros-bouncer
PartValues
prefixConfigurable via comment_prefix (default: crowdsec-bouncer)
typefilter or raw
chaininput, forward, prerouting, output
directioninput, output, or whitelist
protocolv4 or v6

Cleanup on shutdown

Section titled “Cleanup on shutdown”

When the bouncer receives a SIGTERM signal:

  1. Remove rules

    All firewall rules with matching comments are removed.

  2. Preserve address lists

    Address list entries are not removed — they expire naturally via their timeout.

This design means:

  • Protection continues briefly after bouncer stops (until entries expire)
  • No mass-delete operations are needed on shutdown
  • Quick restart doesn’t leave the router unprotected during the gap
Firewall Configuration Configure rule types, placement, logging, and advanced customizations.

Built with Starlight · Powered by CrowdSec

GitHub Issues MIT License