Admin interface appears on RED

Hi!
First, thank you for the work and efforts, ipfire is a great product.

Some where with cu 144 I realized admin port 444 was exposed on RED which was not from the beginning(default settings red,org (dmz),green. If I started ssh, even ssh was reachable on RED. I have not changed/added any fw rule. I use openvpn and intrusion prevention.

Just then, cu 145 arrived and I upgraded. Problem disappeared.
So I wanted to keep an eye on this if it appears again and created a shodan alert on my pub ip. Today I got an alert, and yes admin port is open on red again.

I thought well let’s install test/146 but currently I cannot getting it installed.

There are many starting points investigating this but thought reaching out here if someone has encountered similar?

Cheers
Marc

Have you tested this from RED? If a port is open on all interfaces you still cannot reach the port via red without a firewall rule because red use masqerade.
If you try to reach RED_IP:444 from green or blue you get the page because the access came from green or blue.

1 Like

Yes, from RED with 4G (also shodan confirmed it). I use static IP. The UI does not show any fw rule.

I have looked around a bit and it seems the whole box/config is not as I would like it to be:
(1) HW errors:

20:49:47 kernel: [Hardware Error]: cache level: L1, tx: INSN, mem-tx: IRD
20:49:47 kernel: [Hardware Error]: MC1 Error: Data/tag array parity error for a tag hit.
20:49:47 kernel: [Hardware Error]: Error Addr: 0x00007a2bd9cc7650
20:49:47 kernel: [Hardware Error]: CPU:1 (16:30:1) MC1_STATUS[Over
20:49:47 kernel: [Hardware Error]: Corrected error, no action required.
20:49:47 kernel: mce: [Hardware Error]: Machine check events logged

(2) The zone config for RED is missing:

(3) And the Domain Name System has status “broken” rDNS failed.

I will switch to command line if I find anything more insightful, but I start to get to a point where I need to builkd a good base-line again.


Update:
Ok, so I fixed (3) the DNS issue: unchecked use ISP assigned DNS servers, and now DNS works (however I do not have any manually added).
-> Hence I could install testing/cu146.

Also the admin UI is not on RED from RED reachable anymore.

(1) I have upgraded the firmware of the APU2C4 with https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.11.0.6.rom and for now the kernel messages are not present but will verify later.

Shodan reports now 53 / udp open on RED from RED.

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
444/tcp open snpp

Just a question. How is your system connected to the WAN, if your Zone Configuration shows no association for red?

1 Like

I

It’s kind of magic.

Update: so using ifconfig I get the HW addresses:

red0      Link encap:Ethernet  HWaddr 10:9A:DD:5D:36:75
orange0   Link encap:Ethernet  HWaddr 00:0D:B9:4E:84:8A
green0    Link encap:Ethernet  HWaddr 00:0D:B9:4E:84:88

using the setup tool I see:

GREEN : "pci: Intel Corporation I210 Gigabit Network   
Connection (rev 03)"                                   
GREEN : (00:0d:b9:4e:84:88)                             
RED   : "pci: Intel Corporation I210 Gigabit Network   
Connection (rev 03)"                                   
RED   : (00:0d:b9:4e:84:89)                            
ORANGE: "pci: Intel Corporation I210 Gigabit Network   
Connection (rev 03)"                                   
ORANGE: (00:0d:b9:4e:84:8a)

and also tcpdump ofc shows 10:9a:dd:5d:36:75/ether.

So looking at the setup tool, I see it uses various files/cmds and this one /var/ipfire/ethernet/settings but do not know about the life of this file. I just see, yes it is using the same hw/addr as shown in the setup tool:

[root@ipfire ~]# grep RED /var/ipfire/ethernet/settings
RED_NETADDRESS=0.0.0.0
RED_DESCRIPTION='"pci: Intel Corporation I210 Gigabit Network Connection (rev 03)"'
RED_MODE=
RED_DHCP_FORCE_MTU=
RED_BROADCAST=255.255.255.255
RED_DEV=red0
RED_DHCP_HOSTNAME=ipfire-ispbhf
RED_MACADDR=00:0d:b9:4e:84:89
RED_NETMASK=0.0.0.0
RED_TYPE=DHCP
RED_SLAVES=
RED_DRIVER=igb
RED_ADDRESS=0.0.0.0

Should address and mask be 0.0.0.0, and brdcast 32 (due to DHCP)?

I am tempted to change RED_MACADDR value but not sure if it has impact/will be overwritten, so it would be interesting to see where it is created?

[root@ipfire ~]# stat /var/ipfire/ethernet/settings
  File: /var/ipfire/ethernet/settings
  Size: 990       	Blocks: 8          IO Block: 4096   regular file
Device: 804h/2052d	Inode: 393542      Links: 1
Access: (0644/-rw-r--r--)  Uid: (   99/  nobody)   Gid: (   99/  nobody)
Access: 2020-06-24 22:43:58.340970561 +0200
Modify: 2020-06-24 22:43:56.604303879 +0200
Change: 2020-06-24 22:43:56.604303879 +0200
 Birth: 2020-04-15 13:18:03.917904853 +0200

Birth could have been around the testing of cu/144?

Hi,

did you edit /etc/sysconfig/firewall.local ? There were some similar issues, which were basically all caused by forgotten custom modifications to IPFire.

Thanks, and best regards,
Peter Müller

Did you change anything here?

https://wiki.ipfire.org/configuration/network/mac-address

Hi Peter,
no I did not do any changes by hand in that file.

cheers,
Marc

Yes, long ago, when I wanted a public IP from my SIP I set the first mac, but not inet or iptv.
Thanks!
//Marc

Hi,

could you please share the output of iptables -L -n -v then?

Thanks, and best regards,
Peter Müller

Thank you Peter. Here we go:

[root@ipfire ~]# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 256K   24M BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 341K   33M CUSTOMINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 341K   33M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 341K   33M GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
 341K   33M IPS_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 203K   16M IPTVINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 203K   16M ICMPINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 202K   16M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 197K   16M CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 197K   16M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  880  142K DHCPGREENINPUT  all  --  green0 *       0.0.0.0/0            0.0.0.0/0           
16431  657K GEOIPBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
16423  657K IPSECINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
16423  657K GUIINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
15985  628K WIRELESSINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
15985  628K OVPNINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
15929  626K TOR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
15929  626K INPUTFW    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
15929  626K REDINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
15929  626K POLICYIN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
9526K   17G BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 163K 9827K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  16M   22G CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
    0     0 OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 OVPNBLOCK  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
  16M   22G IPS_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G IPTVFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  16M   22G CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 479K  386M GEOIPBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 479K  386M IPSECFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 479K  386M WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 479K  386M FORWARDFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 479K  386M UPNPFW     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 479K  386M REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 479K  386M POLICYFWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 230K  132M CUSTOMOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 230K  132M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 230K  132M IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
 230K  132M IPS_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 169K  128M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 163K  128M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DHCPGREENOUTPUT  all  --  *      green0  0.0.0.0/0            0.0.0.0/0           
 4156  347K IPSECOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4156  347K TOR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4156  347K OUTGOINGFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 4156  347K POLICYOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BADTCP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 3986  218K RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
 3113  246K NEWNOTSYN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW

Chain CAPTIVE_PORTAL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CAPTIVE_PORTAL_CLIENTS (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain CONNTRACK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
  16M   22G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
 8950  393K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 5878 1071K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain CUSTOMFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CUSTOMOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPBLUEINPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPBLUEOUTPUT (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPGREENINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  880  142K DHCPINPUT  all  --  green0 *       0.0.0.0/0            0.0.0.0/0           

Chain DHCPGREENOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DHCPOUTPUT  all  --  *      green0  0.0.0.0/0            0.0.0.0/0           

Chain DHCPINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  333  109K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:68 dpt:67

Chain DHCPOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:67 dpt:68

Chain FORWARDFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GEOIPBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   344 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country PA 

Chain GUARDIAN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GUIINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  438 28032 ACCEPT     tcp  --  green0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:444

Chain ICMPINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  805 65506 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain INPUTFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPS_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    all  --  tun0   tun0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
    0     0 NFQUEUE    all  --  tun0   red0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
    0     0 NFQUEUE    all  --  red0   tun0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
    0     0 NFQUEUE    all  --  red0   red0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
3950K 4850M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPS_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    all  --  tun0   *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
40777 5336K NFQUEUE    all  --  red0   *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
27321 1664K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPS_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 NFQUEUE    all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
17168 1006K NFQUEUE    all  --  *      red0    0.0.0.0/0            0.0.0.0/0            mark match ! 0x70000000/0x70000000 NFQUEUE balance 0:3 bypass cpu-fanout
20071   16M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x8fffffff

Chain IPTVFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPTVINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LOOPBACK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
 5668  378K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 5668  378K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         

Chain NEWNOTSYN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3113  246K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_NEWNOTSYN */

Chain OUTGOINGFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OVPNBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain OVPNINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   56  2696 ACCEPT     tcp  --  red0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain P2PBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   11  1089 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --dc  --gnu  --kazaa  --bit  --apple  --soul  --winmx  --ares 

Chain POLICYFWD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 478K  386M ACCEPT     all  --  green0 *       192.168.199.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
 1139 69908 ACCEPT     all  --  orange0 red0    172.28.0.0/24        0.0.0.0/0           
    5   332 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
    5   332 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_FORWARD */

Chain POLICYIN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    57 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:514
  109  5518 ACCEPT     all  --  green0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
15817  620K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_INPUT "
15817  620K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_INPUT */

Chain POLICYOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 4156  347K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_OUTPUT */

Chain PSCAN (7 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix "DROP_TCP Scan "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix "DROP_UDP Scan "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix "DROP_ICMP Scan "
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix "DROP_FRAG Scan "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_PScan */

Chain REDFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain REDINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  red0   *       0.0.0.0/0            0.0.0.0/0            tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  red0   *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68

Chain TOR_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain TOR_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain UPNPFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIRELESSFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIRELESSINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination 

Also:

[root@ipfire ~]# cat  /etc/sysconfig/firewall.local 
#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        ;;
  stop)
        ## add your 'stop' rules here
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

Cheers
/Marc

Now, browsing from 4G to to http://host:81 redirects to https://host:444 and I am able to login in the admin UI. Strange.

Have you disabled network address translation or bridged the nics in the hypervisor ?

IPFire is running directly on APU2C4.

Btw, switched to master/after reboot its back to normal (no open ports on red for now).

Update: got a shodan alert, port 444 open. Meaning port 444 is available on RED from RED.

Is there anything in particular to look to get more on this?

Spooky hardware?

Cheers,
Marc