Reply
New Member
Posts: 11
Registered: ‎07-31-2013
Kudos: 1

Firewall UDP Packet Source Port 53 Ruleset Bypass

[ Edited ]

We have an EdgeRouter v1.10.1 (will update in the next days) and scanning the three ADSL IPs connected to the router with Nessus, reports back random result (sometimes this affects 2 of the IPs, sometimes 1, sometimes none and so on) suggesting that the UDP port 53 may be opened (or something like that). A simple nmap scan would report the port as closed but receives back the packet while will want to stop this behaviour.

 

According to Nessus we should be able to fix this by either updating the router or reviewing the firewall rules, https://www.tenable.com/plugins/nessus/11580 We've even added a drop rule to the WAN_IN (see below). Would updating the router fix this?

 

firewall {
    all-ping enable
    broadcast-ping enable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe2
                }
            }
            modify {
                table main
            }
        }
        rule 50 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_pppoe3
                }
            }
            modify {
                table main
            }
        }
        rule 100 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow Unifi video"
            disable
            log disable
            protocol tcp_udp
            source {
                port 7443
            }
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "53 block"
            destination {
                port 53
            }
            log disable
            protocol tcp_udp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "wan1 modem01 192.168.10.1"
        duplex auto
        pppoe 0 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                }
                out {
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id user@plusdsl.net
        }
        speed auto
    }
    ethernet eth1 {
        description "wan2 modem02 192.168.11.1"
        duplex auto
        pppoe 1 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id user1@plusdsl.net
        }
        speed auto
    }
    ethernet eth2 {
        description "wan3 modem03 192.168.12.1"
        duplex auto
        pppoe 2 {
            default-route auto
            firewall {
                in {
                    name WAN_IN
                }
                local {
                }
            }
            mtu 1492
            name-server auto
            password ****************
            user-id user2@plusdsl.net
        }
        speed auto
    }
    ethernet eth3 {
        description "wan4 unused"
        disable
        duplex auto
        pppoe 3 {
            default-route auto
            mtu 1492
            name-server auto
            password ****************
            user-id user@plusdsl.net
        }
        speed auto
    }
    ethernet eth4 {
        address 172.16.16.1/24
        description "lan1 local"
        duplex auto
        firewall {
            in {
                modify balance
            }
            local {
            }
        }
        speed auto
    }
    ethernet eth5 {
        address 172.16.17.1/24
        description "lan2 unused"
        duplex auto
        speed auto
    }
    ethernet eth6 {
        description "lan3 unused"
        disable
        duplex auto
        speed auto
    }
    ethernet eth7 {
        description "lan4 unused"
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface pppoe0 {
        }
        interface pppoe1 {
        }
        interface pppoe2 {
        }
        interface pppoe3 {
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            source-addr enable
        }
    }
}
port-forward {
    auto-firewall disable
    hairpin-nat disable
    lan-interface eth1
    wan-interface pppoe1
}
service {
    dns {
    }
    gui {
        http-port 80
        https-port 443
        listen-address 172.16.16.1
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface pppoe0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface pppoe1
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 3"
            outbound-interface pppoe2
            type masquerade
        }
        rule 5006 {
            description "masquerade for WAN 4"
            outbound-interface pppoe3
            type masquerade
        }
    }
    ssh {
        listen-address 172.16.16.1
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    domain-name britain.user.com
    host-name EdgeMAX-router
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            full-name SySAdmin
            level admin
        }
    }
    name-server 8.8.4.4
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipv4 {
            forwarding enable
            pppoe enable
        }
    }
    static-host-mapping {
        host-name gateway {
            inet 172.16.16.1
        }
        host-name gateway.user.britain {
            inet 172.16.16.1
        }
        host-name unifi {
            inet 52.210.1.2
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone Europe/London
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue wan1qos {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 74mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 14mbit
        }
        wan-interface eth0
    }
    smart-queue wan2qos {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 74mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 14mbit
        }
        wan-interface eth1
    }
    smart-queue wan3qos {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 74mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 14mbit
        }
        wan-interface eth2
    }
    smart-queue wan4qos {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 74mbit
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            limit 10240
            rate 14mbit
        }
        wan-interface eth3
    }
}

 

Nessus_Capture.PNG
Senior Member
Posts: 2,934
Registered: ‎08-06-2015
Kudos: 1244
Solutions: 173

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass

Your firewall rules drop inbound traffic with a destination port of 53, while the vulnerability involves a firewall bypass by setting the source port to 53.

 

You won't be able to block this using firewall rules if you use external DNS services using the standard port 53/udp (DNS).  The responses to DNS queries would come back with a source port of 53 so a firewall rule to block this would also break standard DNS services.  Using DNS over TCP (any of the various options here) would not be vulnerable.

 

If you think about it, you may be able to figure out how such an exploit works (IE: bypasses firewall)

 

New Member
Posts: 11
Registered: ‎07-31-2013
Kudos: 1

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass

You're obviously right. I've noticed later the "source". Will dig into what options we have. Thanks.
Senior Member
Posts: 2,934
Registered: ‎08-06-2015
Kudos: 1244
Solutions: 173

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass

I don't know if netfilter is even susceptible/vulnerable, and that is the underlying implementation on EdgeOS.

 

How was the scan performed?  From an external address to the WAN interfaces?

 

Are there any other devices (firewalls, routers, etc) between the Nessus scan host and the WAN interfaces of your edgerouter(s)?

 

I've done nessus scans in a lab against a "wan" interface of an ER from the "wan side" in the past and have not had this issue identified.

 

New Member
Posts: 11
Registered: ‎07-31-2013
Kudos: 1

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass

[ Edited ]

Nessus is on an AWS EC2 box and we scan our ADSL IPs. We only have the ADSL modems before the EdgeRouter so these should not interfere I think.

Veteran Member
Posts: 7,016
Registered: ‎03-24-2016
Kudos: 1817
Solutions: 801

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass

Your 4 WAN interfaces lack WAN_LOCAL firewall ruleset applied.  

Apply it on 4 WAN interfaces,  and re-test

Highlighted
Senior Member
Posts: 2,934
Registered: ‎08-06-2015
Kudos: 1244
Solutions: 173

Re: Firewall UDP Packet Source Port 53 Ruleset Bypass


@16again wrote:

Your 4 WAN interfaces lack WAN_LOCAL firewall ruleset applied.  

Apply it on 4 WAN interfaces,  and re-test


Good catch. . .WAN_LOCAL is defined but not actually applied to any interfaces in the posted config!  (I completely missed that)

Reply