| View previous topic :: View next topic |
| Author |
Message |
kgdrenefort
Apprentice
Joined: 19 Sep 2023
Posts: 237
Location: Somewhere in the 77
|
 Posted: Wed May 15, 2024 1:41 pm Post subject: |
 |
|
Hello,
After some try, I am able to close 22, 80 & 443 (reject rules) as desired.
But I'm seeing a behaviour I do not understand.
I tested to open these port with nc -l XXX, without any ruleset I can use telnet to touch them. It works. Hitting localhost and the port gives these output:
But if I close them, and then try to telnet them, they all three act differently:
- 80:
| Code: | meself@Mephistopheles ~ $ telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
|
- 443:
| Code: | meself@Mephistopheles ~ $ telnet 127.0.0.1 443
Trying 127.0.0.1... |
In hangs until a bit later it gets timed out:
| Code: | meself@Mephistopheles ~ $ telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
|
- 22:
| Code: |
meself@Mephistopheles ~ $ telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
|
Does not even timeout.
I guess for SSH it's about a timeout value in the server side configuration, but actually I opened 22 with nc, after stopping SSH. If I re-run SSH and try with the reject rules:
| Code: | meself@Mephistopheles ~ $ telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.6
|
From my LAN on another computer:
| Code: | $ telnet 192.168.1.103 22
Trying 192.168.1.103...
telnet: Unable to connect to remote host: Connection refused
|
But behaviour is the same if I hit 192.168.1.103 from the same machine (with the firewall), once SSH is running again.
And from this other machine, other ports act the same.
It seems to act the same way with drop instead of reject.
I'll go deeper into my test and try to setup a small nginx only for the purpose to test these in a more real-life condition.
Actual ruleset:
| Code: | Mephistopheles /etc # nft -s list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state { established, related } counter accept comment "accept all connections related to connections made by us"
iif "lo" accept comment "accept loopback"
iif != "lo" ip daddr 127.0.0.0/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != "lo" ip6 daddr ::1 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
meta l4proto ipv6-icmp counter accept comment "accept all ICMP types"
tcp dport 22 counter drop comment "accept SSH"
tcp dport 80 counter drop comment "accept HTTP"
tcp dport 443 counter drop comment "accept HTTPS"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority filter; policy drop;
counter comment "count dropped packets"
}
chain output {
type filter hook output priority filter; policy accept;
counter comment "count accepted packets"
}
}
|
Regards,
GASPARD DE RENEFORT Kévin
_________________
wiki/User:Kgdrenefort/captain_logs My system info
G. does not have problems, only learning opportunities. - NeddyS.
If your installation isn't valuable to you, feel free to continue to ignore the instructions. - figue. |
|
| Back to top |
|
 |
nicop
n00b
Joined: 10 Apr 2014
Posts: 47
|
| Posted: Wed May 15, 2024 1:55 pm Post subject: |
|
|
You can't test your firewall from/to localhost.
Use a web service https://portchecker.co/ or nmap with another machine. |
|
| Back to top |
|
|
kgdrenefort
Apprentice
Joined: 19 Sep 2023
Posts: 237
Location: Somewhere in the 77
|
| Posted: Thu May 16, 2024 9:22 am Post subject: |
|
|
Hello,
Thanks for the tip.
It seems to run pretty much good, yesterday I had to open port (UDP) 30001 for a LAN connection to join a Minetest server, it worked once I added the rule.
I guess now it'll be about adding some other rules to improve a bit my security (blocking XMAS packets and such) to be sure nobody can do weirds connection or attempt to my firewall.
I consider this topic solved.
Thanks for your time and patience everyone, as always.
Regards,
GASPARD DE RENEFORT Kévin
_________________
wiki/User:Kgdrenefort/captain_logs My system info
G. does not have problems, only learning opportunities. - NeddyS.
If your installation isn't valuable to you, feel free to continue to ignore the instructions. - figue. |
|
| Back to top |
|
|
nicop
n00b
Joined: 10 Apr 2014
Posts: 47
|
| Posted: Sat May 18, 2024 5:16 am Post subject: |
|
|
| kgdrenefort wrote: | | I guess now it'll be about adding some other rules to improve a bit my security (blocking XMAS packets and such) to be sure nobody can do weirds connection or attempt to my firewall. |
Here is a netdev table you can use as a simple example:
| Code: | table netdev filter {
chain ingress {
type filter hook ingress priority -450; policy accept;
ip frag-off & 0x1fff != 0 counter drop comment "Drop IP fragments"
tcp flags fin,psh,urg / fin,psh,urg counter drop comment "Drop tcp 'xmas' packets"
tcp flags ! fin,syn,rst,psh,ack,urg counter drop comment "Drop tcp packets with no flags"
tcp flags syn tcp option maxseg size 1-535 counter drop comment "Drop tcp packets with mss <536"
}
} |
And set devices with postup/predown for each interface in /etc/conf.d/net :
| Code: | postup() {
nft add chain netdev filter ingress "{ devices = { ${IFACE} }; }"
}
predown() {
nft delete chain netdev filter ingress "{ devices = { ${IFACE} }; }" 2>/dev/null
} |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
