Forward default "DROP" is not applied to ORANGE traffic?!

Forward default "DROP" is not applied to ORANGE traffic?!

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]

Hello list,

I recently stumbled across a strange behaviour of IPFire 2.x, which
seems to be quite critical in my eyes, but I am not sure whether it is
intentional or not.

Default settings of IPFire allow traffic from internal networks
(GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
https://wiki.ipfire.org/configuration/firewall/default-policy

For several reasons, no direct internet access is desired on most
firewall installations I administer, so setting the "default firewall
behaviour" to DROP for both FORWARD and OUTGOING usually is one of
the first steps after installation.

Speaking about GREEN and BLUE, this seems to work: No direct connection
is possible except it has been explicitly allowed.

It turns out this setting does not apply to traffic from ORANGE: Even
default is set to DROP, and no firewall rules allowing anything are
in place, a server located in DMZ is able to reach full internet -
every port on every IP in every country.

This is not my expectation of "default policy" = DROP after all!

Could somebody of the core developers urgently have a look at this, please?

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]

Hey,

Could you dump the generated iptables ruleset?

I do not see anything that could potentially be a problem here that is causing your behaviour:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD

-Michael

> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Hello list,
> 
> I recently stumbled across a strange behaviour of IPFire 2.x, which
> seems to be quite critical in my eyes, but I am not sure whether it is
> intentional or not.
> 
> Default settings of IPFire allow traffic from internal networks
> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
> https://wiki.ipfire.org/configuration/firewall/default-policy
> 
> For several reasons, no direct internet access is desired on most
> firewall installations I administer, so setting the "default firewall
> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
> the first steps after installation.
> 
> Speaking about GREEN and BLUE, this seems to work: No direct connection
> is possible except it has been explicitly allowed.
> 
> It turns out this setting does not apply to traffic from ORANGE: Even
> default is set to DROP, and no firewall rules allowing anything are
> in place, a server located in DMZ is able to reach full internet -
> every port on every IP in every country.
> 
> This is not my expectation of "default policy" = DROP after all!
> 
> Could somebody of the core developers urgently have a look at this, please?
> 
> Thanks, and best regards,
> Peter Müller
> -- 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq

RE: Forward default "DROP" is not applied to ORANGE traffic?!

[oliver.fuhrer]

[-- Attachment #1: Type: text/plain, Size: 2752 bytes --]

Hi Michael,
I observed the same issue on my installations and I think it's coming from the following lines in /etc/rc.d/init.d/firewall:

413         # Orange pinholes
414         if [ "$ORANGE_DEV" != "" ]; then
415                 # This rule enables a host on ORANGE network to connect to the outside
416                 # (only if we have a red connection)
417                 if [ "$IFACE" != "" ]; then
418                         iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT
419                 fi
420         fi


Regards
Oliver


-----Original Message-----
From: Development <development-bounces(a)lists.ipfire.org> On Behalf Of Michael Tremer
Sent: Sunday, December 16, 2018 2:53 PM
To: Peter Müller <peter.mueller(a)link38.eu>
Cc: IPFire: Development-List <development(a)lists.ipfire.org>
Subject: Re: Forward default "DROP" is not applied to ORANGE traffic?!

Hey,

Could you dump the generated iptables ruleset?

I do not see anything that could potentially be a problem here that is causing your behaviour:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD

-Michael

> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Hello list,
> 
> I recently stumbled across a strange behaviour of IPFire 2.x, which
> seems to be quite critical in my eyes, but I am not sure whether it is
> intentional or not.
> 
> Default settings of IPFire allow traffic from internal networks
> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
> https://wiki.ipfire.org/configuration/firewall/default-policy
> 
> For several reasons, no direct internet access is desired on most
> firewall installations I administer, so setting the "default firewall
> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
> the first steps after installation.
> 
> Speaking about GREEN and BLUE, this seems to work: No direct connection
> is possible except it has been explicitly allowed.
> 
> It turns out this setting does not apply to traffic from ORANGE: Even
> default is set to DROP, and no firewall rules allowing anything are
> in place, a server located in DMZ is able to reach full internet -
> every port on every IP in every country.
> 
> This is not my expectation of "default policy" = DROP after all!
> 
> Could somebody of the core developers urgently have a look at this, please?
> 
> Thanks, and best regards,
> Peter Müller
> -- 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

Hello Michael,

sorry for the late reply.

I will send you the output of "iptables -L -n -v" directly.

So far, I am able to reproduce this issue on two machines
(both with default policy set to DROP). In both cases, adding
a rule with source = ORANGE, destination = RED and action = DROP
to the end of the firewall ruleset in the WebUI solved the
problem.

So far, it seems like ORANGE is affected by this only.

Thanks, and best regards,
Peter Müller

> Hey,
> 
> Could you dump the generated iptables ruleset?
> 
> I do not see anything that could potentially be a problem here that is causing your behaviour:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD
> 
> -Michael
> 
>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>
>> Hello list,
>>
>> I recently stumbled across a strange behaviour of IPFire 2.x, which
>> seems to be quite critical in my eyes, but I am not sure whether it is
>> intentional or not.
>>
>> Default settings of IPFire allow traffic from internal networks
>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
>> https://wiki.ipfire.org/configuration/firewall/default-policy
>>
>> For several reasons, no direct internet access is desired on most
>> firewall installations I administer, so setting the "default firewall
>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
>> the first steps after installation.
>>
>> Speaking about GREEN and BLUE, this seems to work: No direct connection
>> is possible except it has been explicitly allowed.
>>
>> It turns out this setting does not apply to traffic from ORANGE: Even
>> default is set to DROP, and no firewall rules allowing anything are
>> in place, a server located in DMZ is able to reach full internet -
>> every port on every IP in every country.
>>
>> This is not my expectation of "default policy" = DROP after all!
>>
>> Could somebody of the core developers urgently have a look at this, please?
>>
>> Thanks, and best regards,
>> Peter Müller
>> -- 
>> Microsoft DNS service terminates abnormally when it recieves a response
>> to a DNS query that was never made.  Fix Information: Run your DNS
>> service on a different platform.
>> 		-- bugtraq
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2843 bytes --]

Hello Michael,

just a quick reminder on this. :-) I know it's still the very beginning
of the year...

If there are any questions, please drop me a line.

Thanks, and best regards,
Peter Müller


> Hello Michael,
> 
> sorry for the late reply.
> 
> I will send you the output of "iptables -L -n -v" directly.
> 
> So far, I am able to reproduce this issue on two machines
> (both with default policy set to DROP). In both cases, adding
> a rule with source = ORANGE, destination = RED and action = DROP
> to the end of the firewall ruleset in the WebUI solved the
> problem.
> 
> So far, it seems like ORANGE is affected by this only.
> 
> Thanks, and best regards,
> Peter Müller
> 
>> Hey,
>>
>> Could you dump the generated iptables ruleset?
>>
>> I do not see anything that could potentially be a problem here that is causing your behaviour:
>>
>>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD
>>
>> -Michael
>>
>>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>>
>>> Hello list,
>>>
>>> I recently stumbled across a strange behaviour of IPFire 2.x, which
>>> seems to be quite critical in my eyes, but I am not sure whether it is
>>> intentional or not.
>>>
>>> Default settings of IPFire allow traffic from internal networks
>>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
>>> https://wiki.ipfire.org/configuration/firewall/default-policy
>>>
>>> For several reasons, no direct internet access is desired on most
>>> firewall installations I administer, so setting the "default firewall
>>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
>>> the first steps after installation.
>>>
>>> Speaking about GREEN and BLUE, this seems to work: No direct connection
>>> is possible except it has been explicitly allowed.
>>>
>>> It turns out this setting does not apply to traffic from ORANGE: Even
>>> default is set to DROP, and no firewall rules allowing anything are
>>> in place, a server located in DMZ is able to reach full internet -
>>> every port on every IP in every country.
>>>
>>> This is not my expectation of "default policy" = DROP after all!
>>>
>>> Could somebody of the core developers urgently have a look at this, please?
>>>
>>> Thanks, and best regards,
>>> Peter Müller
>>> -- 
>>> Microsoft DNS service terminates abnormally when it recieves a response
>>> to a DNS query that was never made.  Fix Information: Run your DNS
>>> service on a different platform.
>>> 		-- bugtraq
>>
> 
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3190 bytes --]

Hi,

> On 4 Jan 2019, at 21:12, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Hello Michael,
> 
> just a quick reminder on this. :-) I know it's still the very beginning
> of the year...
> 
> If there are any questions, please drop me a line.

Reminder of what? According to the code this is intentional.

If you think that this should not be like this, please send a patch.

-Michael

> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello Michael,
>> 
>> sorry for the late reply.
>> 
>> I will send you the output of "iptables -L -n -v" directly.
>> 
>> So far, I am able to reproduce this issue on two machines
>> (both with default policy set to DROP). In both cases, adding
>> a rule with source = ORANGE, destination = RED and action = DROP
>> to the end of the firewall ruleset in the WebUI solved the
>> problem.
>> 
>> So far, it seems like ORANGE is affected by this only.
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>>> Hey,
>>> 
>>> Could you dump the generated iptables ruleset?
>>> 
>>> I do not see anything that could potentially be a problem here that is causing your behaviour:
>>> 
>>>  https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD
>>> 
>>> -Michael
>>> 
>>>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>>> 
>>>> Hello list,
>>>> 
>>>> I recently stumbled across a strange behaviour of IPFire 2.x, which
>>>> seems to be quite critical in my eyes, but I am not sure whether it is
>>>> intentional or not.
>>>> 
>>>> Default settings of IPFire allow traffic from internal networks
>>>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
>>>> https://wiki.ipfire.org/configuration/firewall/default-policy
>>>> 
>>>> For several reasons, no direct internet access is desired on most
>>>> firewall installations I administer, so setting the "default firewall
>>>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
>>>> the first steps after installation.
>>>> 
>>>> Speaking about GREEN and BLUE, this seems to work: No direct connection
>>>> is possible except it has been explicitly allowed.
>>>> 
>>>> It turns out this setting does not apply to traffic from ORANGE: Even
>>>> default is set to DROP, and no firewall rules allowing anything are
>>>> in place, a server located in DMZ is able to reach full internet -
>>>> every port on every IP in every country.
>>>> 
>>>> This is not my expectation of "default policy" = DROP after all!
>>>> 
>>>> Could somebody of the core developers urgently have a look at this, please?
>>>> 
>>>> Thanks, and best regards,
>>>> Peter Müller
>>>> -- 
>>>> Microsoft DNS service terminates abnormally when it recieves a response
>>>> to a DNS query that was never made.  Fix Information: Run your DNS
>>>> service on a different platform.
>>>> 		-- bugtraq
>>> 
>> 
> -- 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 600 bytes --]

Hello Michael,

thanks for your reply. Sorry for the confusion.

The current behaviour is unintentional in my point of view: If default
policy is set to DROP, connections from GREEN and BLUE to RED are
forbidden by default, but not from ORANGE to RED. As far as I know,
this is not even documented.

Thereof, I suggest to change behaviour to DROP, too.

@All: Opinions?

Thanks, and best regards,
Peter Müller
-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq

Re: Forward default "DROP" is not applied to ORANGE traffic?!

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]

Hey,

> On 6 Jan 2019, at 10:41, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Hello Michael,
> 
> thanks for your reply. Sorry for the confusion.
> 
> The current behaviour is unintentional in my point of view: If default
> policy is set to DROP, connections from GREEN and BLUE to RED are
> forbidden by default, but not from ORANGE to RED. As far as I know,
> this is not even documented.
> 

This *is* intended. The code says so.

What you are saying is that it is unexpected. Agreed.

> Thereof, I suggest to change behaviour to DROP, too.
> 
> @All: Opinions?

*Raises hand in favour*

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> -- 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq