Anomaly detections, selectively announced networks, no access to Fritzbox

Networking Web Proxy
1

After updating to the latest update 161 I activated both options under Anomaly detections based on Autonomous Systems information.

Right after that access to Fritzbox GUI wasn’t possible any more resulting in a proxy error

The proxy server is refusing connections
An error occurred during a connection to 192.168.178.1.
Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working.

Ipfire is located behind the Fritzbox and is configured as an exposed host. Up to activation of the new feature I could acccess Fritzbox’s GUI via 192.168.178.1. Ipfire is located at 192.168.20.1

After a very short time of fiddling it became obvious that activating the second option “Deny access to destinations hosted on selectively announced networks:” leads to this problem. I therefore unchecked the option and the Fritzbox is accessible as before.

Is the behaviour expected? If so, how do I access the Fritzbox without unchecking the second option.

TIA, Sam.

2

Hi,

first, welcome to the IPFire community. :slight_smile:

Is the behaviour expected?

Yes. The detection of selectively announced networks also includes targets being hosted on IP ranges not globally routable - in this case, RFC 1918 IPv4 space.

In the logs, you should see messages like these:

Dec 04 14:01:00 squid-asnbl-helper[18208] WARN: Destination '192.168.178.1' resolves to IP addresses '192.168.178.1' without corresponding ASN, probably selectively announced
Dec 04 14:01:00 squid-asnbl-helper[18208] INFO: Denying access to destination '192.168.178.1' due to suspected selective announcements

If so, how do I access the Fritzbox without unchecking the second option.

Zut alors, this is a use-case I haven’t thought about while implementing this: If you tried to query a FQDN which is blocked by the anomaly detection script (such as fedoraproject.org and getfedora.org, which both trigger the fast flux detection), the list of allowed domains in the URL filter section applies first, so you can override the anomaly detection for the FQDN in question.

However, this is not implemented for destination IP addresses - I simply did not thought about it. Sorry. :expressionless:

In the meantime, you can…

  • leave the detection of selectively announced networks disabled (I am not happy with that either) or
  • access the FritzBox via a FQDN - fritz.box won’t work directly, since it is not a globally unique FQDN, and breaks DNSSEC, but you can create a local DNS record for it (please see the documentation for further details) and whiteliste it in via the URL filter section, as mentioned above.

A third possibility would be to access the FritzBox without going through IPFire’s web proxy, but that requires changes to the client’s proxy settings, and is not an ideal solution in terms of security either.

Sorry to disappoint, and best regards,
Peter MĂĽller

3

Thanks Peter, that did the trick. :+1: :grinning:

For the copycats: don’t forget to tick the “enable custom whitelist” checkbox :wink:

1 Like