[Firehol-support] Broken HTTP traffic with Masquerade

Tsaousis, Costa costa at tsaousis.gr
Sun Dec 27 23:42:29 GMT 2015


Hi Jonny,

Regarding the helper rules:

FTP, IRC etc are protocols that exchange port information between
client and server, so that they cannot be statically assigned.
You cannot know that client port A will communicate with server port B.

The netfilter team designed kernel helpers to track this down.
So, in your firewall you say, I know a client will use FTP, and then a
kernel module inspects the traffic exchanged between the ftp client
and server to find out which ports they are going to use and once
found, it informs netfilter to expect communication on the ports
detected. The packets on these ports will be marked as RELATED. The
FireHOL rules do exactly this. Allow ESTABLISHED and RELATED
communication for services you allow on your firewall.

Then why did IRC, FTP, PPTP, etc appear in your firewall without
asking for them?
Well, the service 'all' did that. If you don't like this, allow
explicitly the services you need, or use the service 'any'.

Keep in mind that for increased security, kernel helper modules have
to be configured as to which side of the communication to trust. You
can say for example, trust for the local lan, or trust the ftp server.
To do this in firehol you have to use the cthelper configuration
command and set FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT="manual". If you
don't use the cthelper command, your kernel will trust either side.

More about the security of conntrack helpers can be found here:
https://home.regit.org/netfilter-en/secure-use-of-helpers/


About the HTTP problem you face:

My guess is that your TCP MSS is not the same with your LAN. You can
to add this at the top of firehol.conf:

tcpmss auto ppp+

The above will instruct your linux router to scale TCP MSS to whatever
is appropriate for your ppp devices.

Keep also in mind that:

1. FireHOL always logs packets it (indirectly) drops. If your HTTP
problem is not TCP MSS related, you should have logs of packets being
dropped.
2. You can use the explain feature of firehol to get better insights
of the generated rules. Run 'firehol explain' and then enter
configuration statements, like you do in your config.

Welcome to FireHOL!

Costa

On Mon, Dec 28, 2015 at 1:03 AM, Jonny <jonnyt886 at gmail.com> wrote:
> Hi there,
>
> I have been using an iptables firewall for some time. In the past I've
> hand-written scripts to configure the firewall, and this has worked well.
> Having come across FireHOL, I am keen to give it a go and benefit from its
> simpler configuration and greater security.
>
> My setup is simple: a single Ubuntu machine with two interfaces, eth0
> (pointing inwards to the LAN) and ppp0 (pointing outward to the internet).
> 10.10.0.0/26 is the LAN subnet.
>
> My configuration is pasted at the bottom of this email. When running
> FireHOL I am seeing two problems:
>
> 1. Spurious rules
> If I run `iptables-save|less` to look at the rules that firehol has
> generated, I see rules there which I didn't include in my config file:
>
> -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper irc -j ACCEPT
> -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper pptp -j ACCEPT
> -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper ftp -j ACCEPT
> <snip>
> -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper irc -j ACCEPT
> -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper pptp -j ACCEPT
> -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper ftp -j ACCEPT
> <snip>
> -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper irc -j ACCEPT
> -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper pptp -j ACCEPT
> -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper ftp -j ACCEPT
> <snip>
> -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper irc -j ACCEPT
> -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper pptp -j ACCEPT
> -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> --helper ftp -j ACCEPT
>
> I do run PPTP, IRC or FTP services, yet FireHOL has added ACCEPT rules to
> my firewall without my configuring these! I'm rather concerned that this is
> happening without the user being informed.
>
> I managed to track this down to line 1882 in the firehol.in script (as of
> firehol 3.0), where the "helper_all" variable is defined, containing 5
> services. If I clear this variable out then these spurious rules don't get
> generated.
>
> 2. HTTP broken
> This is more serious as I've not come up with a workaround.
>
> When running FireHOL, I can ping machines out on the internet, my DNS
> lookups work. But machines behind the NAT cannot consistently access
> HTTP[s] pages; going to Google and typing search terms in renders results
> as expected, but more complex sites (e.g. http://www.bbc.co.uk/news or even
> http://firehol.org/) fail to work - the connection hangs. In syslog FireHOL
> gives me no useful information to begin to diagnose.
>
> I've tried commenting out both the 'protection' lines below and re-testing,
> to no effect.
>
> Restoring my old hand-cranked iptables script immediately fixes the
> problem, so FireHOL's rules are clearly the problem.
>
> I'd be very grateful for your help - I am keen to use FireHOL but this is
> clearly a showstopper for me. I'm using Firehol 3.0.0, downloaded from the
> website today.
>
> My configuration is below.
>
> --
> Jonny
>
> --
>
> version 6
>
> ipv4 masquerade ppp0
>
> ipv4 interface eth0 lan
>         policy accept # everything
>
> ipv4 interface ppp0 internet
>         protection bad-packets
>         client all accept
>
> # rule of thumb: define router blocks as *going towards
> #  the hosts you want to protect*
> ipv4 router internet2lan inface ppp0 outface eth0
>         protection bad-packets
>         client all accept
>
>         server ssh accept dst 10.10.0.3
>         server openvpn accept dst 10.10.0.1
>
> #ipv4 router lan2internet inface eth0 outface ppp0
> #       #route all accept
> #       client all accept
> #       policy reject
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list