Ports are opened after upgrade
kjetil at kjernsmo.net
Wed Apr 22 13:31:15 BST 2020
Last night, I decided to upgrade my box from Debian Stretch, that had version
3.1.1+ds-1 to Debian Buster with 3.1.6+ds-8. I ran into several problems.
Currently, all ports look open, which is scary, but the routing appears to
work, so there are no services that shouldn't be exposed that are.
The first problem was that iptables package was upgraded after firehol, and so,
there was a install.config file that pointed at iptables-legacy (and friends),
that then didn't yet exist. I first changed that to point at iptables, before
I discovered that the iptables package was upgraded and did have the legacy
scripts, so I changed it back.
On startup, I see
root at kanga:~# systemctl status firehol
● firehol.service - Firehol stateful packet filtering firewall for humans
Loaded: loaded (/lib/systemd/system/firehol.service; enabled; vendor
Active: active (exited) since Wed 2020-04-22 13:45:56 CEST; 37min ago
Process: 19825 ExecStart=/usr/sbin/firehol start (code=exited, status=0/
Main PID: 19825 (code=exited, status=0/SUCCESS)
Apr 22 13:45:45 kanga systemd: Starting Firehol stateful packet filtering
firewall for humans...
Apr 22 13:45:46 kanga firehol: FireHOL: Saving active firewall to a
temporary file... OK
Apr 22 13:45:46 kanga firehol: FireHOL: Processing file '/etc/firehol/
Apr 22 13:45:46 kanga firehol: WARNING 2@/etc/firehol/firehol.conf:
version:: Running version 5 config. Update configu
Apr 22 13:45:55 kanga firehol: OK (1413 iptables rules)
Apr 22 13:45:56 kanga firehol: FireHOL: Fast activating new firewall...
Apr 22 13:45:56 kanga firehol: FireHOL: Saving activated firewall to '/
Apr 22 13:45:56 kanga systemd: Started Firehol stateful packet filtering
firewall for humans.
I have been running a version 5 config, and left IPv6 on my TODO list. The
full config is a bit long, but I have stuff like
dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 25
dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 143
dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 993
[... some port definitions ... ]
interface "eth0 tun_uio" internet # 172.22.0.0/24
client all accept
server ssh accept
server ping accept
server http accept
server openvpn accept
server https accept
router lan2internet inface eth1 outface "eth0 tun_uio"
route all accept
router evpn2internet inface tun_ext outface "eth0 tun_uio"
route all accept
router wifi2internet inface eth2 outface "eth0 tun_uio"
route all accept
router internet2dmz inface "eth0 tun_uio" outface eth3
route smtp accept
route imap accept
route https accept
route imaps accept
route ident reject with tcp-reset
[... etc ...]
When I nmap from the outside, it appears that all ports are open. nmapping on
the box itself against its external IP or localhost seems fine though.
I understand that the kernel now is encouraging nftables as a replacement of
iptables, but I don't understand how the legacy applies, if that is a Debian-
specific thing, and if that has something to do with it. I've tried both.
I have also tried to put in ipv4 before the dnat statements, interface4 and
router4, but it didn't seem to make a difference for the problem.
It has been a while since I actually nmapped my network from the outside, so
there is a scary possibility that it has been like that for a while. It is
just my home network, so it is nothing big and important, but it is important
to me and my family. I'm quite sure this is a new problem though.
I'm at loss about what should be my next step though, ideas very much
More information about the Firehol-support