Weird behaviour on red - ports are open

Hello everyone,

I have always been very proud to see all ports on my IPFIRE firewall closed. External NMAP tests, the GRC Shields-Up logs, Shodan, etc. always showed all doors closed, beautifully.

A few days ago I received a notification that DNS port 53 (IPFIRE unbound) was open on the red network (!?). The people who manage the network infrastructure above my IP did some periodic scans and noticed that this port was open, and that it could be used as an open resolver (recursively) for third-party DNS attacks. Despite this notification, I did not notice anything wrong (in logs, graphs, whatsoever).
The notification worried me a lot, as I thought the firewall would have been hacked somehow, with some rootkit. But (I guess) this is not the case.

After better analysis, I noticed that both DNS port 53 and Virtual host HTTPD port 1013 (captive portal) were open and accepting connections from the red side! Nmap, Shodan, confirmed this. GRC Shields-Up curiously showed a lot of closed ports (blue dots on FTP, TELNET and other common ports), along with the stealth and the two open ports. This is very strange, since all ports were usually reported as stealth before.

At this time I had only two firewall rules related to blue to green communications, and nothing else.

I don`t know what triggered this. As I recall, the only change I did on the IPFIRE was last month, when I tryed to enable the IPS service, but it apparently failed to go up. I did not further investigate what happened, and leaved the IPFIRE as it was, since everything else was working as usual.

I guess IPS service injected some iptables rules during the ‘enable’ process, but failed to accomplish the remaining configurations and quit. I don`t know how to deal with iptables, but I can get every info or log someone else may need, to help me understand what happened.

I saw previous posts on the community forum related to similar problems. But I still did not find the origin of the problem.

To solve the open red ports, I manually changed the unbound and httpd configuration to make the daemons listen to traffic only on the green and blue internal interfaces. It worked for know (all ports are stealth), but this is nasty.

I’m worried I would need to do a plain installation. And the importing of previous configuration backups may bring back all the misconfigured rules.

Any comment are greatly appreciated.
Pellini
PS: IPFIRE is running on a legacy 586

Hi @elpellini

Welcome to the IPFire Community.

IPS does not work in that way. It supplements the packet filter, it does not manipulate or change the ip tables. If IPS is enabled and running then the packets are passed through the IPS before being sent to the firewall engine.
https://wiki.ipfire.org/configuration/firewall/ips
If IPS did not turn on then it is not being used.

If you have traffic that is coming through the firewall on specific ports then there must be some form of port forward rule somewhere.

It would be good if you could show what the Firewall Rules page of your WUI has on it.
You can also look into the iptables directly on the WUI menu Firewall - iptables

If you then show the tables that are displayed after selecting FORWARDFW in the top section iptables: and pressing update and then selecting NAT_DESTINATION in the bottom section IPTable Network Address Translation: and pressing update.
This should show any port forward related rules that are in place on your system.

I have done that on my IPFire system and everything shown in the iptables section is related to entries I have placed in the Firewall Rules page.

Are you aware that in just over six months there will be no further Core Updates for i586.
Various security mitigations are not available for i586 and development work on the Linux kernel and other software that IPFire relies on is mainly done for 64 bit architectures.
https://blog.ipfire.org/post/new-year-more-bits

Thanks for the reply,

These are the only rules I have. And rule #1 would not be needed, since blue access should be allowed from green (but I had trouble in the past).

image1077×292 17.1 KB

In IPtables FORWARDFW

Chain FORWARDFW (1 references)
	pkts 	bytes 	target 	prot 	opt 	in 	out 	source 	destination 	
										
	0 	0 	ACCEPT 	all 	-- 	green0 	blue0 	172.16.0.0/16 	192.168.108.0/22 	
	173 	8996 	ACCEPT 	all 	-- 	blue0 	* 	192.168.108.0/22 	172.16.1.4

IPTable NAT NAT_DESTINATION

Chain NAT_DESTINATION (2 references)
	pkts 	bytes 	target 	prot 	opt 	in 	out 	source 	destination 	

IPTable NAT NAT_DESTINATION_FIX (?)

Chain NAT_DESTINATION_FIX (1 references)
	pkts 	bytes 	target 	prot 	opt 	in 	out 	source 	destination 	
										
	0 	0 	SNAT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	mark match 0x1 to:172.16.0.254
	0 	0 	SNAT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	mark match 0x2 to:192.168.109.254
	0 	0 	SNAT 	all 	-- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	mark match 0x3 to:192.168.107.15

Indeed, all entries are related to the custom rules.
However, I do no know the cause for those two services to show up on the red side.

Thanks in advance for the attention
Pellini

PS: I noticed the problem with my legacy setup. I’m planing to change to a newer hardware. This legacy one is a rock solid Athlon, with more than 9 years of uninterrupted services. 5 years with IPCop and 4 with IPFIRE.

Hi,

unless I am mistaken, this is now the third time a user is reporting something like this (see this and this thread for the other two incidents).

In the past, both issues turned out to be user configuration errors not induced by any firewall rule created via IPFire’s web interface, but by editing firewall.local or similar things (which we strongly recommend against for a good reason).

So, let’s figure out what goes wrong this time…

Please don’t do so until we traced down the problem.

@elpellini: Could you please run iptables -L -n -v on our IPFire machine and post it’s results here? Feel free to scrub any public IP addresses, if necessary. Did you made changes to your IPFire system directly via SSH? If so, which?

Thanks, and best regards,
Peter Müller

Hi Peter, thanks for helping out, and sorry by the late response.
I did not log with SSH in my IPFIRE firewall since November/2020. And I never did any changes on files manually. All administration was performed in the Web Interface, only.
When I noticed the DNS unbound service attending at red interface on port 53, I was very worried that someone had hacked into the firewall. When I logged in with SSH, I found no clear evidence in filesystem timestamps or files. However, I may be wrong. Detecting clever invaders is, indeed, rocket science.

I did, in fact, some manual changes in files to temporarily fix the problem:
In /etc/unbound/unbound.conf I altered the original interface: line to

        interface-automatic: yes
        interface: blue0
        interface: green0

This made unbound to listen only on blue and green interface, not on red.

In /etc/httpd/conf/vhosts.d/captive.conf I changed the Listen 0.0.0.0 line at the beginning of the file, to stop httpd from serving on port 1013 in the red interface. IP 172.16.0.0/16 is my green network. IP 192.168.109.0/22 is my blue network. IPFire is at IP addresses ending with .254 in these networks.
The beginning of the file now reads:

      Listen 172.16.0.254:1013
      Listen 192.168.109.254:1013

About the current iptables content. It follows.

# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 197K   35M BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
2217K  570M CUSTOMINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2217K  570M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
2217K  570M GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0
 145K   33M OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
2217K  570M IPS_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2217K  570M IPTVINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2217K  570M ICMPINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2127K  566M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
2105K  564M CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2105K  564M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
20011 1397K DHCPGREENINPUT  all  --  green0 *       0.0.0.0/0            0.0.0.0/0
 198K   20M DHCPBLUEINPUT  all  --  blue0  *       0.0.0.0/0            0.0.0.0/0
 547K   49M LOCATIONBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M IPSECINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M GUIINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M WIRELESSINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 547K   49M OVPNINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M TOR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M INPUTFW    all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M REDINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0
 547K   49M POLICYIN   all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  12M   11G BADTCP     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
 176K 9784K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
  13M   11G CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
1134K  271M OVPNBLOCK  all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
1820K 1776M OVPNBLOCK  all  --  *      tun+    0.0.0.0/0            0.0.0.0/0
  13M   11G IPS_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G IPTVFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G CAPTIVE_PORTAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  13M   11G CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 203K   20M LOCATIONBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 203K   20M IPSECFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 203K   20M WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 203K   20M FORWARDFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 192K   19M UPNPFW     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 192K   19M REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 192K   19M POLICYFWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
2328K 2210M CUSTOMOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2328K 2210M P2PBLOCK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
2328K 2210M IPSECBLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol none
2328K 2210M IPS_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2328K 2210M LOOPBACK   all  --  *      *       0.0.0.0/0            0.0.0.0/0
2305K 2209M CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DHCPGREENOUTPUT  all  --  *      green0  0.0.0.0/0            0.0.0.0/0
 6581 1049K DHCPBLUEOUTPUT  all  --  *      blue0   0.0.0.0/0            0.0.0.0/0
25984   63M IPSECOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
13979 1229K TOR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
13979 1229K OUTGOINGFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0
13979 1229K POLICYOUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain BADTCP (2 references)
 pkts bytes target     prot opt in     out     source               destination
  428 21400 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x01
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
 1894 2145K NEWNOTSYN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 ctstate NEW

Chain CAPTIVE_PORTAL (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain CAPTIVE_PORTAL_CLIENTS (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 limit: up to 3kb/s burst 1mb mode srcip
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain CONNTRACK (3 references)
 pkts bytes target     prot opt in     out     source               destination
  17M   14G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
51560 3907K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
28650 2791K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain CUSTOMFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain CUSTOMOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DHCPBLUEINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 197K   20M DHCPINPUT  all  --  blue0  *       0.0.0.0/0            0.0.0.0/0

Chain DHCPBLUEOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6577 1048K DHCPOUTPUT  all  --  *      blue0   0.0.0.0/0            0.0.0.0/0

Chain DHCPGREENINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
20008 1397K DHCPINPUT  all  --  green0 *       0.0.0.0/0            0.0.0.0/0

Chain DHCPGREENOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DHCPOUTPUT  all  --  *      green0  0.0.0.0/0            0.0.0.0/0

Chain DHCPINPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
 8135 2673K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:68 dpt:67

Chain DHCPOUTPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
 2177  714K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:67 dpt:68

Chain FORWARDFW (1 references)
 pkts bytes target     prot opt in     out     source               destination
 5864  305K ACCEPT     all  --  green0 blue0   172.16.0.0/16        192.168.108.0/22
 5925  308K ACCEPT     all  --  blue0  *       192.168.108.0/22     172.16.1.4

Chain GUARDIAN (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain GUIINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  green0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:444

Chain ICMPINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
89973 4005K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8

Chain INPUTFW (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  green0 *       172.16.0.0/16        192.168.108.0/22

Chain IPSECBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            192.168.100.0/24

Chain IPSECFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IPSECINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    8   587 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500

Chain IPSECOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
10590   54M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500

Chain IPS_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IPS_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IPS_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IPTVFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IPTVINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCATIONBLOCK (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOG_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOG_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LOOPBACK (3 references)
 pkts bytes target     prot opt in     out     source               destination
22834 1877K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
22834 1877K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8

Chain NEWNOTSYN (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1894 2145K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_NEWNOTSYN "
 1894 2145K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_NEWNOTSYN */

Chain OUTGOINGFW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain OVPNBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination
  287 32312 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED

Chain OVPNINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  119  6398 ACCEPT     udp  --  red0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain P2PBLOCK (3 references)
 pkts bytes target     prot opt in     out     source               destination
    3   358 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m ipp2p  --edk  --dc  --gnu  --kazaa  --bit  --apple  --soul  --winmx  --ares

Chain POLICYFWD (1 references)
 pkts bytes target     prot opt in     out     source               destination
19799 1303K ACCEPT     all  --  green0 *       172.16.0.0/16        0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
23180 2264K ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
 120K   13M ACCEPT     all  --  blue0  red0    192.168.108.0/22     0.0.0.0/0
    0     0 ACCEPT     all  --  orange0 red0    192.168.107.0/28     0.0.0.0/0
 4268  222K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
 4268  222K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_FORWARD */

Chain POLICYIN (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:514
17600 1212K ACCEPT     all  --  green0 *       0.0.0.0/0            0.0.0.0/0
 167K   15M ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
  551 28652 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
 178K   19M LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_INPUT "
 294K   28M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_INPUT */

Chain POLICYOUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
12221 1076K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_OUTPUT */

Chain PSCAN (7 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix "DROP_TCP Scan "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix "DROP_UDP Scan "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix "DROP_ICMP Scan "
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix "DROP_FRAG Scan "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* DROP_PScan */

Chain REDFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain REDINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain TOR_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain TOR_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain UPNPFW (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain WIRELESSFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  blue0  *       192.168.109.100      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.101      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.102      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.103      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.104      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.1        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.6        0.0.0.0/0
 6421 2696K RETURN     all  --  blue0  *       192.168.109.41       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.2        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.3        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.4        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.5        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.7        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.11       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.12       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.13       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.15       0.0.0.0/0
 2174  150K RETURN     all  --  blue0  *       192.168.109.42       0.0.0.0/0
20895 1557K RETURN     all  --  blue0  *       192.168.109.43       0.0.0.0/0
 1706  105K RETURN     all  --  blue0  *       192.168.109.54       0.0.0.0/0
 2173  135K RETURN     all  --  blue0  *       192.168.109.56       0.0.0.0/0
 2597  159K RETURN     all  --  blue0  *       192.168.109.51       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.53       0.0.0.0/0
 2348  145K RETURN     all  --  blue0  *       192.168.109.55       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.52       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.111.50       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.36       0.0.0.0/0
 1789  110K RETURN     all  --  blue0  *       192.168.109.57       0.0.0.0/0
  876 56726 RETURN     all  --  blue0  *       192.168.109.58       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.61       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.62       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.63       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.64       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.65       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.66       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.67       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.68       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.71       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.72       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.73       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.74       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.75       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.76       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.77       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.78       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.50       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.166      0.0.0.0/0
10701 2508K RETURN     all  --  blue0  *       192.168.109.59       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.60       0.0.0.0/0
 1966  146K RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC00:23:8b:68:34:c8
 5600  384K RETURN     all  --  blue0  *       192.168.109.44       0.0.0.0/0
 6984  478K RETURN     all  --  blue0  *       192.168.109.151      0.0.0.0/0
12871  848K RETURN     all  --  blue0  *       192.168.109.152      0.0.0.0/0
17905 1090K RETURN     all  --  blue0  *       192.168.109.153      0.0.0.0/0
 8315  560K RETURN     all  --  blue0  *       192.168.109.154      0.0.0.0/0
22203 2691K RETURN     all  --  blue0  *       192.168.109.155      0.0.0.0/0
 9446  646K RETURN     all  --  blue0  *       192.168.109.156      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.157      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.150      0.0.0.0/0
 1360 81600 RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC3c:a8:2a:26:76:04
 7992  853K RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC3c:a8:2a:26:76:03
    5   352 RETURN     all  --  blue0  *       192.168.109.200      0.0.0.0/0            MAC08:00:27:1a:9f:0a
    0     0 LOG        all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP_Wirelessforward"
    0     0 DROP       all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            /* DROP_Wirelessforward */

Chain WIRELESSINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  blue0  *       192.168.109.100      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.101      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.102      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.103      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.104      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.1        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.6        0.0.0.0/0
10451  787K RETURN     all  --  blue0  *       192.168.109.41       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.2        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.3        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.4        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.5        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.7        0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.11       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.12       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.13       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.15       0.0.0.0/0
15794 1152K RETURN     all  --  blue0  *       192.168.109.42       0.0.0.0/0
 8973  746K RETURN     all  --  blue0  *       192.168.109.43       0.0.0.0/0
18327 1385K RETURN     all  --  blue0  *       192.168.109.54       0.0.0.0/0
 7944  616K RETURN     all  --  blue0  *       192.168.109.56       0.0.0.0/0
 8318  704K RETURN     all  --  blue0  *       192.168.109.51       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.53       0.0.0.0/0
 7944  615K RETURN     all  --  blue0  *       192.168.109.55       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.52       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.111.50       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.36       0.0.0.0/0
15072 1100K RETURN     all  --  blue0  *       192.168.109.57       0.0.0.0/0
14804 1081K RETURN     all  --  blue0  *       192.168.109.58       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.61       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.62       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.63       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.64       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.65       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.66       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.67       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.68       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.71       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.72       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.73       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.74       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.75       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.76       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.77       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.78       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.50       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.166      0.0.0.0/0
 2658  256K RETURN     all  --  blue0  *       192.168.109.59       0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.60       0.0.0.0/0
   47  3791 RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC00:23:8b:68:34:c8
    1    71 RETURN     all  --  blue0  *       192.168.109.44       0.0.0.0/0
 8805  680K RETURN     all  --  blue0  *       192.168.109.151      0.0.0.0/0
 2714  277K RETURN     all  --  blue0  *       192.168.109.152      0.0.0.0/0
 1767  135K RETURN     all  --  blue0  *       192.168.109.153      0.0.0.0/0
18016 1307K RETURN     all  --  blue0  *       192.168.109.154      0.0.0.0/0
45125 5957K RETURN     all  --  blue0  *       192.168.109.155      0.0.0.0/0
 2215  237K RETURN     all  --  blue0  *       192.168.109.156      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.157      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       192.168.109.150      0.0.0.0/0
    0     0 RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC3c:a8:2a:26:76:04
    2   152 RETURN     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            MAC3c:a8:2a:26:76:03
  463  105K RETURN     all  --  blue0  *       192.168.109.200      0.0.0.0/0            MAC08:00:27:1a:9f:0a
    1   328 LOG        all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4 prefix "DROP_Wirelessinput"
    1   328 DROP       all  --  blue0  *       0.0.0.0/0            0.0.0.0/0            /* DROP_Wirelessinput */

I don’t think these modifications change the port status at red0.
If the firewall allows access to port 53 at WAN, the port is open.
The ‘listen’ parameter in config just allows DNS requests from all interfaces that are allowed to.
red0 should not be allowed.

In fact, these modifications were done just to stop the daemons from answering at the red interface. Indeed, the firewall is not blocking/droping packets at the red side, and I don’t know why.
Right now I’m analyzing if other ports are open in the red side.

Hi,

thank you for providing this. Skimming through it, I could not find anything related to common user configuration errors (we have hat some cases with overcredulous SNAT in the past).

In order to see how packets to port 1013 are processed exactly, could you please execute

iptables -t raw -j TRACE -p tcp --dport 1013 -I PREROUTING

on your IPFire, then connect to port 1013 on IPFires’ RED interface from the internet, and post the trace log lines here? For the latter,

grep "kernel: TRACE:" /var/log/messages

should be sufficient.

Does this mean you can connect to other ports (22/222, 444, etc.) from RED as well?

Thanks, and best regards,
Peter Müller

Thanks Peter,

Before your trace proposal,

Does this mean you can connect to other ports (22/222, 444, etc.) from RED as well?

No, the only ports that were listening to packets on red0 interface were 53 and 1013, only.

In order to execute the trace your proposed, I tryed to changed back the captive.conf and unbound.conf to its original configuration, to release the daemons to listen in every interface.
After a reboot, surprisingly, the ports (this time) are not listening on the red side. I just returned the configuration to what it was before, and both Unbound of HTTPD are not listening to anything from the red side! The problem did not repeated itself. This is very strange.

I will investigate a little bit further (run a NMAP from outside the network, etc), and then make the trace your mentioned.

Hi,

yes please. This seems odd indeed…

Thanks, and best regards,
Peter Müller

Just to give a follow-up on this thread, the IPFire machine is perfectly fine for the last 2 months. No issues found.
But I’m keeping both eyes on it.
Pellini