Should admin interface be available on red?

csete · 31 October 2022 18:18

I was fooling around trying to learn nmap and decided to scan my personal host that is running latest ipfire on top of a Raspberry Pi 3b+. I was shocked to see the web interface port showing through on the red interface and able to be logged into. Is there some configuration somewhere that I accidentally enabled to make that possible? How can I get that blocked? Basically, the only thing I expected to be externally accessible was OpenVPN and everything else should be blocked. My nmap results are here:

 ─$ nmap -F xxx.xxx.xxx.xxx                                                                                                                

Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 12:58 CDT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.12s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT    STATE SERVICE
53/tcp  open  domain
81/tcp  open  hosts2-ns
444/tcp open  snpp
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds

Thanks for any suggestions!
Craig

cfusco · 31 October 2022 19:02

there was quite a similar report two years ago: Admin interface appears on RED

I wonder, can it be a weird security bug? What I find striking is that in either cases are opened both ports: 81 and 444 and also that in 2020 report, it was written by OP that 81 would forward to 444. Can it be a bug around those two ports?

csete · 31 October 2022 19:31

I did see that conversation and I thought it was strikingly similar. However, I didn’t ever really see a resolution and certainly the hardware involved was significantly different.

arne_f · 1 November 2022 11:43

Have you done this nmap scan from a system in the red network?

If you scan from green/blue/orange or vpn even if you target the red IP you get false open ports because the the connection came in from the internal networks and pass the firewall.

csete · 1 November 2022 11:46

I don’t think so. I’m on my company VPN and using the external IP address. I will retry using my Verizon Mifi device to see if I get the same results, just to be sure.

bbitsch · 1 November 2022 11:56

If you are on VPN, what is the endpoint of your VPN connection? A device inside or outside your IPFire?
If it is in your local net ( including IPFire ) your nmap scan checks from the local net, see Arne’s post.

csete · 1 November 2022 11:57

The endpoint is outside my network. I’m not currently in a situation to test via mifi device, but will do so a bit later.

bbitsch · 1 November 2022 12:43

@csete , you mean both endpoints are outside?
Is the connection
device1(company) ---VPN---> device2(endpoint) ---WAN---> ipfire(red)
?

csete · 1 November 2022 13:16

In your diagram, device1 is inside my home network and device2 is outside. While I don’t understand why that is not a valid test, the good news is that using my Mifi device on Verizon, I get a clean nmap scan. So, it appears that my concerns were not valid.

Thanks for the help everyone!

bbitsch · 1 November 2022 14:05

@csete
Just for clarification.
If you use your local device, which usually uses VPN to your company, it is just a routing decision. I don’t think VPN is used for IPs reachable locally, such as the red IP of IPFire.
If you use your mifi device you are in an external network, the net of your mobile provider. So the requests from nmap really come from outside.

@arne_f , can you confirm my conclusion?