Hi!
First, thank you for the work and efforts, ipfire is a great product.
Some where with cu 144 I realized admin port 444 was exposed on RED which was not from the beginning(default settings red,org (dmz),green. If I started ssh, even ssh was reachable on RED. I have not changed/added any fw rule. I use openvpn and intrusion prevention.
Just then, cu 145 arrived and I upgraded. Problem disappeared.
So I wanted to keep an eye on this if it appears again and created a shodan alert on my pub ip. Today I got an alert, and yes admin port is open on red again.
I thought well let’s install test/146 but currently I cannot getting it installed.
There are many starting points investigating this but thought reaching out here if someone has encountered similar?
Have you tested this from RED? If a port is open on all interfaces you still cannot reach the port via red without a firewall rule because red use masqerade.
If you try to reach RED_IP:444 from green or blue you get the page because the access came from green or blue.
(3) And the Domain Name System has status “broken” rDNS failed.
I will switch to command line if I find anything more insightful, but I start to get to a point where I need to builkd a good base-line again.
Update:
Ok, so I fixed (3) the DNS issue: unchecked use ISP assigned DNS servers, and now DNS works (however I do not have any manually added).
→ Hence I could install testing/cu146.
Also the admin UI is not on RED from RED reachable anymore.
red0 Link encap:Ethernet HWaddr 10:9A:DD:5D:36:75
orange0 Link encap:Ethernet HWaddr 00:0D:B9:4E:84:8A
green0 Link encap:Ethernet HWaddr 00:0D:B9:4E:84:88
using the setup tool I see:
GREEN : "pci: Intel Corporation I210 Gigabit Network
Connection (rev 03)"
GREEN : (00:0d:b9:4e:84:88)
RED : "pci: Intel Corporation I210 Gigabit Network
Connection (rev 03)"
RED : (00:0d:b9:4e:84:89)
ORANGE: "pci: Intel Corporation I210 Gigabit Network
Connection (rev 03)"
ORANGE: (00:0d:b9:4e:84:8a)
and also tcpdump ofc shows 10:9a:dd:5d:36:75/ether.
So looking at the setup tool, I see it uses various files/cmds and this one /var/ipfire/ethernet/settings but do not know about the life of this file. I just see, yes it is using the same hw/addr as shown in the setup tool:
did you edit /etc/sysconfig/firewall.local ? There were some similar issues, which were basically all caused by forgotten custom modifications to IPFire.
[root@ipfire ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
256K 24M BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
341K 33M CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
341K 33M P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
341K 33M GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
341K 33M IPS_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
203K 16M IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
203K 16M ICMPINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
202K 16M LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
197K 16M CAPTIVE_PORTAL all -- * * 0.0.0.0/0 0.0.0.0/0
197K 16M CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
880 142K DHCPGREENINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0
16431 657K GEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
16423 657K IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
16423 657K GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
15985 628K WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
15985 628K OVPNINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
15929 626K TOR_INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
15929 626K INPUTFW all -- * * 0.0.0.0/0 0.0.0.0/0
15929 626K REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
15929 626K POLICYIN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9526K 17G BADTCP tcp -- * * 0.0.0.0/0 0.0.0.0/0
163K 9827K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
16M 22G CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G IPSECBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
0 0 OVPNBLOCK all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 OVPNBLOCK all -- * tun+ 0.0.0.0/0 0.0.0.0/0
16M 22G IPS_FORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G IPTVFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G CAPTIVE_PORTAL all -- * * 0.0.0.0/0 0.0.0.0/0
16M 22G CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
479K 386M GEOIPBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
479K 386M IPSECFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
479K 386M WIRELESSFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
479K 386M FORWARDFW all -- * * 0.0.0.0/0 0.0.0.0/0
479K 386M UPNPFW all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
479K 386M REDFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
479K 386M POLICYFWD all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
230K 132M CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
230K 132M P2PBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
230K 132M IPSECBLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
230K 132M IPS_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
169K 128M LOOPBACK all -- * * 0.0.0.0/0 0.0.0.0/0
163K 128M CONNTRACK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DHCPGREENOUTPUT all -- * green0 0.0.0.0/0 0.0.0.0/0
4156 347K IPSECOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4156 347K TOR_OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
4156 347K OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0
4156 347K POLICYOUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BADTCP (2 references)
pkts bytes target prot opt in out source destination
3986 218K RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
3113 246K NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 ctstate NEW
Chain CAPTIVE_PORTAL (2 references)
pkts bytes target prot opt in out source destination
Chain CAPTIVE_PORTAL_CLIENTS (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
0 0 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain CONNTRACK (3 references)
pkts bytes target prot opt in out source destination
16M 22G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
8950 393K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
5878 1071K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain DHCPBLUEINPUT (0 references)
pkts bytes target prot opt in out source destination
Chain DHCPBLUEOUTPUT (0 references)
pkts bytes target prot opt in out source destination
Chain DHCPGREENINPUT (1 references)
pkts bytes target prot opt in out source destination
880 142K DHCPINPUT all -- green0 * 0.0.0.0/0 0.0.0.0/0
Chain DHCPGREENOUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 DHCPOUTPUT all -- * green0 0.0.0.0/0 0.0.0.0/0
Chain DHCPINPUT (1 references)
pkts bytes target prot opt in out source destination
333 109K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
Chain DHCPOUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
Chain FORWARDFW (1 references)
pkts bytes target prot opt in out source destination
Chain GEOIPBLOCK (2 references)
pkts bytes target prot opt in out source destination
8 344 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country PA
Chain GUARDIAN (2 references)
pkts bytes target prot opt in out source destination
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source destination
438 28032 ACCEPT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444
Chain ICMPINPUT (1 references)
pkts bytes target prot opt in out source destination
805 65506 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
Chain INPUTFW (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECBLOCK (2 references)
pkts bytes target prot opt in out source destination
Chain IPSECFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECOUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain IPS_FORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- tun0 tun0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
0 0 NFQUEUE all -- tun0 red0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
0 0 NFQUEUE all -- red0 tun0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
0 0 NFQUEUE all -- red0 red0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
3950K 4850M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x8fffffff
Chain IPS_INPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- tun0 * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
40777 5336K NFQUEUE all -- red0 * 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
27321 1664K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x8fffffff
Chain IPS_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 NFQUEUE all -- * tun0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
17168 1006K NFQUEUE all -- * red0 0.0.0.0/0 0.0.0.0/0 mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
20071 16M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0x8fffffff
Chain IPTVFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain IPTVINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LOOPBACK (3 references)
pkts bytes target prot opt in out source destination
5668 378K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
5668 378K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source destination
3113 246K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_NEWNOTSYN */
Chain OUTGOINGFW (1 references)
pkts bytes target prot opt in out source destination
Chain OVPNBLOCK (3 references)
pkts bytes target prot opt in out source destination
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
Chain OVPNINPUT (1 references)
pkts bytes target prot opt in out source destination
56 2696 ACCEPT tcp -- red0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain P2PBLOCK (3 references)
pkts bytes target prot opt in out source destination
11 1089 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m ipp2p --edk --dc --gnu --kazaa --bit --apple --soul --winmx --ares
Chain POLICYFWD (1 references)
pkts bytes target prot opt in out source destination
478K 386M ACCEPT all -- green0 * 192.168.199.0/24 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
1139 69908 ACCEPT all -- orange0 red0 172.28.0.0/24 0.0.0.0/0
5 332 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
5 332 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_FORWARD */
Chain POLICYIN (1 references)
pkts bytes target prot opt in out source destination
1 57 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514
109 5518 ACCEPT all -- green0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
15817 620K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_INPUT "
15817 620K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_INPUT */
Chain POLICYOUT (1 references)
pkts bytes target prot opt in out source destination
4156 347K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTPUT */
Chain PSCAN (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix "DROP_TCP Scan "
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix "DROP_UDP Scan "
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix "DROP_ICMP Scan "
0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix "DROP_FRAG Scan "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_PScan */
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- red0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT udp -- red0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
Chain TOR_INPUT (1 references)
pkts bytes target prot opt in out source destination
Chain TOR_OUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain UPNPFW (1 references)
pkts bytes target prot opt in out source destination
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source destination
Also:
[root@ipfire ~]# cat /etc/sysconfig/firewall.local
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
;;
stop)
## add your 'stop' rules here
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac