[Firehol-support] Broken HTTP traffic with Masquerade

Jonny jonnyt886 at gmail.com
Mon Jan 4 11:41:16 GMT 2016


Many thanks Costa - that's fixed it. I see my old script did in fact have
an TCP MSS stting in there too, which I clearly missed!

Happy New Year


--
Jonny Tyers

On 27 December 2015 at 23:42, Tsaousis, Costa <costa at tsaousis.gr> wrote:

> Hi Jonny,
>
> Regarding the helper rules:
>
> FTP, IRC etc are protocols that exchange port information between
> client and server, so that they cannot be statically assigned.
> You cannot know that client port A will communicate with server port B.
>
> The netfilter team designed kernel helpers to track this down.
> So, in your firewall you say, I know a client will use FTP, and then a
> kernel module inspects the traffic exchanged between the ftp client
> and server to find out which ports they are going to use and once
> found, it informs netfilter to expect communication on the ports
> detected. The packets on these ports will be marked as RELATED. The
> FireHOL rules do exactly this. Allow ESTABLISHED and RELATED
> communication for services you allow on your firewall.
>
> Then why did IRC, FTP, PPTP, etc appear in your firewall without
> asking for them?
> Well, the service 'all' did that. If you don't like this, allow
> explicitly the services you need, or use the service 'any'.
>
> Keep in mind that for increased security, kernel helper modules have
> to be configured as to which side of the communication to trust. You
> can say for example, trust for the local lan, or trust the ftp server.
> To do this in firehol you have to use the cthelper configuration
> command and set FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT="manual". If you
> don't use the cthelper command, your kernel will trust either side.
>
> More about the security of conntrack helpers can be found here:
> https://home.regit.org/netfilter-en/secure-use-of-helpers/
>
>
> About the HTTP problem you face:
>
> My guess is that your TCP MSS is not the same with your LAN. You can
> to add this at the top of firehol.conf:
>
> tcpmss auto ppp+
>
> The above will instruct your linux router to scale TCP MSS to whatever
> is appropriate for your ppp devices.
>
> Keep also in mind that:
>
> 1. FireHOL always logs packets it (indirectly) drops. If your HTTP
> problem is not TCP MSS related, you should have logs of packets being
> dropped.
> 2. You can use the explain feature of firehol to get better insights
> of the generated rules. Run 'firehol explain' and then enter
> configuration statements, like you do in your config.
>
> Welcome to FireHOL!
>
> Costa
>
> On Mon, Dec 28, 2015 at 1:03 AM, Jonny <jonnyt886 at gmail.com> wrote:
> > Hi there,
> >
> > I have been using an iptables firewall for some time. In the past I've
> > hand-written scripts to configure the firewall, and this has worked well.
> > Having come across FireHOL, I am keen to give it a go and benefit from
> its
> > simpler configuration and greater security.
> >
> > My setup is simple: a single Ubuntu machine with two interfaces, eth0
> > (pointing inwards to the LAN) and ppp0 (pointing outward to the
> internet).
> > 10.10.0.0/26 is the LAN subnet.
> >
> > My configuration is pasted at the bottom of this email. When running
> > FireHOL I am seeing two problems:
> >
> > 1. Spurious rules
> > If I run `iptables-save|less` to look at the rules that firehol has
> > generated, I see rules there which I didn't include in my config file:
> >
> > -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper irc -j ACCEPT
> > -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper pptp -j ACCEPT
> > -A in_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper ftp -j ACCEPT
> > <snip>
> > -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper irc -j ACCEPT
> > -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper pptp -j ACCEPT
> > -A in_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper ftp -j ACCEPT
> > <snip>
> > -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper irc -j ACCEPT
> > -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper pptp -j ACCEPT
> > -A out_internet -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper ftp -j ACCEPT
> > <snip>
> > -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper irc -j ACCEPT
> > -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper pptp -j ACCEPT
> > -A out_internet2lan -m conntrack --ctstate RELATED,ESTABLISHED -m helper
> > --helper ftp -j ACCEPT
> >
> > I do run PPTP, IRC or FTP services, yet FireHOL has added ACCEPT rules to
> > my firewall without my configuring these! I'm rather concerned that this
> is
> > happening without the user being informed.
> >
> > I managed to track this down to line 1882 in the firehol.in script (as
> of
> > firehol 3.0), where the "helper_all" variable is defined, containing 5
> > services. If I clear this variable out then these spurious rules don't
> get
> > generated.
> >
> > 2. HTTP broken
> > This is more serious as I've not come up with a workaround.
> >
> > When running FireHOL, I can ping machines out on the internet, my DNS
> > lookups work. But machines behind the NAT cannot consistently access
> > HTTP[s] pages; going to Google and typing search terms in renders results
> > as expected, but more complex sites (e.g. http://www.bbc.co.uk/news or
> even
> > http://firehol.org/) fail to work - the connection hangs. In syslog
> FireHOL
> > gives me no useful information to begin to diagnose.
> >
> > I've tried commenting out both the 'protection' lines below and
> re-testing,
> > to no effect.
> >
> > Restoring my old hand-cranked iptables script immediately fixes the
> > problem, so FireHOL's rules are clearly the problem.
> >
> > I'd be very grateful for your help - I am keen to use FireHOL but this is
> > clearly a showstopper for me. I'm using Firehol 3.0.0, downloaded from
> the
> > website today.
> >
> > My configuration is below.
> >
> > --
> > Jonny
> >
> > --
> >
> > version 6
> >
> > ipv4 masquerade ppp0
> >
> > ipv4 interface eth0 lan
> >         policy accept # everything
> >
> > ipv4 interface ppp0 internet
> >         protection bad-packets
> >         client all accept
> >
> > # rule of thumb: define router blocks as *going towards
> > #  the hosts you want to protect*
> > ipv4 router internet2lan inface ppp0 outface eth0
> >         protection bad-packets
> >         client all accept
> >
> >         server ssh accept dst 10.10.0.3
> >         server openvpn accept dst 10.10.0.1
> >
> > #ipv4 router lan2internet inface eth0 outface ppp0
> > #       #route all accept
> > #       client all accept
> > #       policy reject
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.firehol.org
> > http://lists.firehol.org/mailman/listinfo/firehol-support
>



More information about the Firehol-support mailing list