New Member
Posts: 2
Registered: ‎02-12-2019

Solved!! Exposed ports on ZBF

[ Edited ]

So I set up my ERX with ZBF and made my WAN_TO_LOCAL rule to allow only est/rel and port 443 for VPN, but it seems to be allowing all traffic.

 

I can ssh, connect to the gui over https at port 8443 over the internet. And when I do port scan over the internet, ports 22,53,80,135,139,443,445, and 8443 are all exposed.(8443 is set for gui access via https)

 


Any idea what's going on with my config?

Firewall:

ERX# show
 firewall {
     all-ping enable
     broadcast-ping disable
     ipv6-receive-redirects disable
     ipv6-src-route disable
     ip-src-route disable
     log-martians enable
     name ALLOW_ALL {
         default-action accept
         description "Accept All Traffic default,"
         rule 10 {
             action accept
             description "Allow Established/Relate/New"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Drop Invalid"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name EST/REL {
         default-action drop
         description "Allow Est/Rel, drop invalid. Used for default to Wan"
         enable-default-log
         rule 1 {
             action accept
             description "Est/Related allowed"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 2 {
             action drop
             description "Drop Invalid"
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name GUEST_TO_LOCAL {
         default-action drop
         description "Allow DHCP only"
         rule 1 {
             action accept
             description "Allow DHCP"
             destination {
                 port 67
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
     }
     name GUEST_TO_MGMT {
         default-action drop
         description ""
         rule 1 {
             action accept
             description "Allow DNS"
             destination {
                 address 172.16.10.3
                 port 53
             }
             log disable
             protocol tcp_udp
         }
     }
     name MGMT_TO_LOCAL {
         default-action drop
         enable-default-log
         rule 10 {
             action accept
             description Est/Rel
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 20 {
             action accept
             description "All from Priscilla"
             log disable
             protocol all
             source {
                 address 172.16.20.11
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 30 {
             action accept
             description ICMP
             log disable
             protocol icmp
         }
         rule 40 {
             action accept
             description DHCP
             destination {
                 port 67
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 50 {
             action accept
             description GUI
             destination {
                 port 8443
             }
             log disable
             protocol tcp
         }
         rule 60 {
             action accept
             description SSH
             destination {
                 port 22
             }
             log disable
             protocol tcp_udp
         }
         rule 70 {
             action drop
             description Invalid
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name PRIVATE_TO_LOCAL {
         default-action drop
         enable-default-log
         rule 10 {
             action accept
             description Est/Rel
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 20 {
             action accept
             description "All from Priscilla"
             log disable
             protocol all
             source {
                 address 172.16.20.11
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 30 {
             action accept
             description ICMP
             log disable
             protocol icmp
         }
         rule 40 {
             action accept
             description DHCP
             destination {
                 port 67
             }
             log disable
             protocol udp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 50 {
             action accept
             description GUI
             destination {
                 port 8443
             }
             log disable
             protocol tcp
         }
         rule 60 {
             action drop
             description Invalid
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name PRIVATE_TO_MGMT {
         default-action drop
         description ""
         rule 10 {
             action accept
             description "Allow Pricsilla"
             log disable
             protocol all
             source {
                 address 172.16.20.11
             }
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 20 {
             action accept
             description EST/REL
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 30 {
             action accept
             description "Allow DNS"
             destination {
                 address 172.16.10.3
                 port 53
             }
             log disable
             protocol tcp_udp
         }
         }
         rule 40 {
             action drop
             description "Drop Invalid"
             log enable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     name WAN_TO_LOCAL {
         default-action accept
         description "Accept All Traffic default,"
         rule 10 {
             action accept
             description "Allow Established/Relate/New"
             log disable
             protocol all
             state {
                 established enable
                 invalid disable
                 new disable
                 related enable
             }
         }
         rule 20 {
             action accept
             description OVPN
             destination {
                 port 443
             }
             log disable
             protocol tcp
             source {
             }
         }
         rule 30 {
             action drop
             description "Drop Invalid"
             log disable
             protocol all
             state {
                 established disable
                 invalid enable
                 new disable
                 related disable
             }
         }
     }
     receive-redirects disable
     send-redirects enable
     source-validation disable
     syn-cookies enable
 }

Interfaces

interfaces {
     ethernet eth0 {
         address dhcp
         description Internet
         duplex auto
         speed auto
     }
     ethernet eth1 {
         description DMZ
         duplex auto
         speed auto
     }
     ethernet eth2 {
         description PXE-Trunk
         duplex auto
         speed auto
     }
     ethernet eth3 {
         description Local
         duplex auto
         speed auto
     }
     ethernet eth4 {
         description UAP-LR
         duplex auto
         poe {
             output pthru
         }
         speed auto
     }
     loopback lo {
     }
     openvpn vtun0 {
         local-port 443
         mode server
         protocol tcp-passive
         server {
             name-server 172.16.10.3
             push-route 172.16.10.0/24
             subnet 172.16.40.0/24
             topology subnet
         }
         tls {
             ca-cert-file /config/auth/cacert.pem
             cert-file /config/auth/server.pem
             dh-file /config/auth/dh.pem
             key-file /config/auth/server.key
         }
     }
     switch switch0 {
         description Local
         mtu 1500
         switch-port {
             interface eth1 {
                 vlan {
                     pvid 1
                 }
             }
             interface eth2 {
                 vlan {
                     pvid 1
                     vid 20
                 }
             }
             interface eth3 {
                 vlan {
                     pvid 1
                 }
             }
             interface eth4 {
                 vlan {
                     pvid 1
                     vid 20
                     vid 30
                 }
             }
             vlan-aware enable
         }
         vif 1 {
             address 172.16.10.1/24
             description MGMT
             mtu 1500
         }
         vif 20 {
             address 172.16.20.1/24
             description PRIVATE
             mtu 1500
         }
         vif 30 {
             address 172.16.30.1/24
             description Untrusted
             mtu 1500
         }
     }
 }

 

Zones

 zone-policy {
     zone GUEST {
         default-action drop
         from LOCAL {
             firewall {
                 name ALLOW_ALL
             }
         }
         from WAN {
             firewall {
                 name EST/REL
             }
         }
         interface switch0.30
     }
     zone LOCAL {
         default-action drop
         from GUEST {
             firewall {
                 name GUEST_TO_LOCAL
             }
         }
         from MGMT {
             firewall {
                 name MGMT_TO_LOCAL
             }
         }
         from PRIVATE {
             firewall {
                 name PRIVATE_TO_LOCAL
             }
         }
         from WAN {
             firewall {
                 name WAN_TO_LOCAL
             }
         }
         local-zone
     }
     zone MGMT {
         default-action drop
         from GUEST {
             firewall {
                 name GUEST_TO_MGMT
             }
         }
         from LOCAL {
             firewall {
                 name ALLOW_ALL
             }
         }
         from PRIVATE {
             firewall {
                 name PRIVATE_TO_MGMT
             }
         }
         from WAN {
             firewall {
                 name EST/REL
             }
         }
         interface switch0.1
         interface vtun0
     }
     zone PRIVATE {
         default-action drop
         from LOCAL {
             firewall {
                 name ALLOW_ALL
             }
         }
         from MGMT {
             firewall {
                 name ALLOW_ALL
             }
         }
         from WAN {
             firewall {
                 name EST/REL
             }
         }
         interface switch0.20
     }
     zone WAN {
         default-action drop
         from GUEST {
             firewall {
                 name ALLOW_ALL
             }
         }
         from LOCAL {
             firewall {
                 name ALLOW_ALL
             }
         }
         from MGMT {
             firewall {
                 name ALLOW_ALL
             }
         }
         from PRIVATE {
             firewall {
                 name ALLOW_ALL
             }
         }
         interface eth0
     }
 }

 

New Member
Posts: 17
Registered: ‎10-09-2017

Re: Exposed ports on ZBF

Highlighted
New Member
Posts: 2
Registered: ‎02-12-2019

Re: Exposed ports on ZBF

I figured it out, the default afriac for WAN_TO_LOCAL was set to accept not droo