New Member
Posts: 26
Registered: ‎05-17-2013
Kudos: 5
Solutions: 1
Accepted Solution

In need of some Firewall 101 tutoring...

Me again. Cracked open the box and I've spent the last day or so playing around with the ERLite.  I love it, because it's making me re-learn all of the things I used to know and then promptly forgot years ago, with respect to networking, routing, etc.  I haven't setup my new PPPoE connection yet, but I've got it working with the DHCP cable connection that I'm retiring next week.  For hours it didn't work, but I finally chalked it up to weirdness with my cable co's DHCP lease not coming in properly.  From the CLI, checking the lease, I was only getting an IP and an invalid subnet.  Weird... after a couple hours of releasing/renewing/reconfiguring/swearing everything started working, and querying the lease via DHCP showed it bound nicely and gave all the necessary stuff.

 

ANYWAY, on to my actual question...

 

I'm a little confused with the basic firewall setup though.  I started from the SOHO configuration guide, which configures the two basic firewall rules for local and inbound traffic.  My understanding is that everything should be dropped inbound over my WAN link, except for established connections.  When I do a port scan of my external IP from - for example - whatsmyip.org, it shows ports 22,53,80, etc. are open.  They're accepting connections too, because when I tried connecting to the ERLite from an offsite server (via ssh), it connects.  I'm missing something really basic here, aren't I?  I'd appreciate any insight into exactly what this two-rule config below does and does not block.  I'll post my config in reply.


Accepted Solutions
New Member
Posts: 26
Registered: ‎05-17-2013
Kudos: 5
Solutions: 1

Re: In need of some Firewall 101 tutoring...

[ Edited ]

Ugh... disregard. Reading closely through my config I noticed that it was basically just accepting everything using my rules, as if "established" and "related" conditions hadn't been ticked in the GUI.  I went back in and checked, and sure enough they weren't ticked under my "local" rules.  I'm sure they were before.  So I fixed that, checked again, and it was still letting packets through. UGH! I went back and looked and all of the sudden my interfaces were no longer assigned the rule.  As soon as I created the rules from scratch and assigned them to my interface, things started working.

 

There must be something strange going on with the GUI... I was using CLI to configure my PPPoE interface but didn't touch any firewall commands. I'll just have to be very careful from now on and make sure I don't somehow undo or unassign things.

 

Before:

name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
        }
    }

 

After:

name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }

 

View solution in original post


All Replies
New Member
Posts: 26
Registered: ‎05-17-2013
Kudos: 5
Solutions: 1

Re: In need of some Firewall 101 tutoring...

[ Edited ]
firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-expect-table-size 4096
    conntrack-hash-size 4096
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "packets from Internet to LAN & WLAN"
        enable-default-log
        rule 1 {
            action accept
            description "allow established sessions"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log disable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description LAN
    }
    ethernet eth2 {
        description WAN2
        vif 35 {
            description "BELL VLAN 35"
            firewall {
                in {
                    name WAN_IN
                }
                local {
                    name WAN_LOCAL
                }
            }
            mtu 1500
        }
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name LAN {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.200
                }
                static-mapping RT-N66U {
                    ip-address 192.168.1.2
                    mac-address 30:85:a9:3a:40:e0
                }
                static-mapping Synology {
                    ip-address 192.168.1.4
                    mac-address 00:11:32:0D:09:2D
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user admin {
            authentication {
                encrypted-password $6$fgED8CKUb$kyNlEUBCrsEVtqeK3cFuRURF9mfKOH40SRZWnRi.6tKAPpzxW1PN//au9mnXP0jYxPSpEtFxkYMeLgRWrZRKq.
                plaintext-password ""
            }
            full-name Administrator
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Toronto
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:dhcp-relay@1:dhcp-server@4:firewall@4:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.0.2.4507738.121107.1250 */

 

New Member
Posts: 26
Registered: ‎05-17-2013
Kudos: 5
Solutions: 1

Re: In need of some Firewall 101 tutoring...

[ Edited ]

Ugh... disregard. Reading closely through my config I noticed that it was basically just accepting everything using my rules, as if "established" and "related" conditions hadn't been ticked in the GUI.  I went back in and checked, and sure enough they weren't ticked under my "local" rules.  I'm sure they were before.  So I fixed that, checked again, and it was still letting packets through. UGH! I went back and looked and all of the sudden my interfaces were no longer assigned the rule.  As soon as I created the rules from scratch and assigned them to my interface, things started working.

 

There must be something strange going on with the GUI... I was using CLI to configure my PPPoE interface but didn't touch any firewall commands. I'll just have to be very careful from now on and make sure I don't somehow undo or unassign things.

 

Before:

name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
        }
    }

 

After:

name WAN_LOCAL {
        default-action drop
        description "packets from Internet to the router"
        enable-default-log
        rule 1 {
            action accept
            description "allow established session to the router"
            log disable
            protocol all
            state {
                established enable
                invalid disable
                new disable
                related enable
            }
        }
        rule 2 {
            action drop
            description "drop invalid state"
            log enable
            protocol all
            state {
                established disable
                invalid enable
                new disable
                related disable
            }
        }
    }

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5474
Solutions: 1656
Contributions: 2

Re: In need of some Firewall 101 tutoring...

Yeah that does sound strange. If you do find a bug in the GUI, please let us know and we will look into it. Thanks.

Highlighted
New Member
Posts: 26
Registered: ‎05-17-2013
Kudos: 5
Solutions: 1

Re: In need of some Firewall 101 tutoring...

Upgrading to v1.1.0 for starters.  Maybe it was a corner case in v1.0.2?