Page MenuHomePhabricator

Connection tracking NAT / FIREWALL
Open, Requires assessmentPublicBUG

Description

On 1.1.8 this copnfiguration works:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group network-group FTP-HOSTS network '172.16.1.10/32'
set firewall group network-group SSH-HOSTS network '172.16.1.10/32'
set firewall group network-group WEB-HOSTS network '172.16.1.10/32'
set firewall group port-group FTP-PORTS port '21'
set firewall group port-group SSH-PORTS port '22'
set firewall group port-group SSH-PORTS port '2222'
set firewall group port-group WEB-PORTS port '80'
set firewall group port-group WEB-PORTS port '443'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name IN-ETH0 default-action 'drop'
set firewall name IN-ETH0 rule 10 action 'accept'
set firewall name IN-ETH0 rule 10 description 'ICMP'
set firewall name IN-ETH0 rule 10 protocol 'icmp'
set firewall name IN-ETH0 rule 30 action 'accept'
set firewall name IN-ETH0 rule 30 description 'WWW to WEB-HOSTS'
set firewall name IN-ETH0 rule 30 destination group network-group 'WEB-HOSTS'
set firewall name IN-ETH0 rule 30 destination group port-group 'WEB-PORTS'
set firewall name IN-ETH0 rule 50 action 'accept'
set firewall name IN-ETH0 rule 50 description 'SSH to SSH-HOSTS'
set firewall name IN-ETH0 rule 50 destination group network-group 'SSH-HOSTS'
set firewall name IN-ETH0 rule 50 destination group port-group 'SSH-PORTS'
set firewall name IN-ETH0 rule 70 action 'accept'
set firewall name IN-ETH0 rule 70 description 'FTP to FTP-HOSTS'
set firewall name IN-ETH0 rule 70 destination group network-group 'FTP-HOSTS'
set firewall name IN-ETH0 rule 70 destination group port-group 'FTP-PORTS'
set firewall name IN-ETH0 rule 9999 action 'drop'
set firewall name IN-ETH0 rule 9999 description 'Drop all and log'
set firewall name IN-ETH0 rule 9999 log 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'xxx.xxx.xxx.xxx/xx'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 firewall in name 'IN-ETH0'
set interfaces ethernet eth0 hw-id '00:0c:29:32:f0:3b'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '172.16.1.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:32:f0:45'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback 'lo'
set nat destination rule 19 description 'nat-server'
set nat destination rule 19 destination address 'xxx.xxx.xxx.xxx'
set nat destination rule 19 destination port '!2222'
set nat destination rule 19 inbound-interface 'eth0'
set nat destination rule 19 protocol 'tcp_udp'
set nat destination rule 19 translation address '172.16.1.10'
set nat source rule 50 description 'nat-test'
set nat source rule 50 outbound-interface 'eth0'
set nat source rule 50 source address '172.16.1.0/24'
set nat source rule 50 translation address 'xxx.xxx.xxx.xxx'
set protocols static route 0.0.0.0/0 next-hop 'xxx.xxx.xxx.xxy'

After upgrade to 1.2.0-rc10 Ftp to the server does not work. The server is configured with passive mode and 30000 - 30100 as min and max port.

Adding

set firewall group port-group FTP-PORTS port '30000-30100'

makes it work.

Without firewall rules and using only NAT the ftp connection works.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.0-rc10
Why the issue appeared?
Will be filled on close

Event Timeline

aopdal created this task.Dec 11 2018, 1:28 PM
Dec 11 16:22:02 nat-router kernel: [IN-ETH0-9999-D] IN=eth0 OUT=eth1 MAC=00:0c:29:32:f0:3b:80:2a:a8:8d:dc:64:08:00 SRC=188.94.220.38 DST=172.16.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=26075 DF PROTO=TCP SPT=22154 DPT=30010 WINDOW=65535 RES=0x00 SYN URGP=0
Dec 11 16:22:05 nat-router kernel: [IN-ETH0-9999-D] IN=eth0 OUT=eth1 MAC=00:0c:29:32:f0:3b:80:2a:a8:8d:dc:64:08:00 SRC=188.94.220.38 DST=172.16.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=26106 DF PROTO=TCP SPT=22154 DPT=30010 WINDOW=65535 RES=0x00 SYN URGP=0

This is log from the failed connection attempt. Something with the related module for ftp is not working correctly.

Merijn added a subscriber: Merijn.Dec 11 2018, 4:09 PM

Probable cause is:
https://unix.stackexchange.com/questions/385693/iptables-nf-conntrack-ftp-not-working-under-debian

The automatic helper assignment for the netfilter modules was made optional in kernel 3.5 and later disabled by default because some evil people found a way to abuse it. Now the recommended practice is to declare any required helpers explicitly on ports that need them. – telcoM Jul 16 at 12:13

The solution seems to be that when your rule 70 gets parsed for iptables we have to add:

-j CT --helper ftp

Since during parsing we cannot detect if it is FTP traffic or not, because you can choose whatever port you want, i think the only solution would be to add something like

set firewall name IN-ETH0 rule 70 helper ftp

And parse that to add the required options in iptables. Also for other helper modules being loaded for iptables.

Or just ask everyone to add the passive ports to the firewall. I hadn't noticed this on my test installs of 1.2.0-rcx because i always add the ports to the firewall, but that leaves them open even if it is not ftp traffic, which is a small potential vulnerability.

set firewall name IN-ETH0 rule 70 helper ftp

Is a good approach i think. When all are going to use encrypted ftp the helper can't be used, but for now I have some customers who don't want to find their passive ports. So I must get the helper going ...

A notice for the changed behavior for the upgrade and it's good i think.

One fairly simple workaround is to add a couple lines to /config/scripts/vyatta-postconfig-bootup.script

modprobe nfnetlink_cthelper
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

The workaround using /config/scripts/vyatta-postconfig-bootup.script works nice. It is probably more user friendly if it is configurable in cli.

The idea for 'helper ftp' is a bit harder to implement, because it seems it requires iptables -t raw and currently we only have filter and mangle.

pasik added a subscriber: pasik.May 24 2019, 6:19 AM