Ports are opened after upgrade

Kjetil Kjernsmo kjetil at kjernsmo.net
Wed Apr 22 13:31:15 BST 2020


Hi all!

Last night, I decided to upgrade my box from Debian Stretch, that had version 
3.1.1+ds-1 to Debian Buster with 3.1.6+ds-8. I ran into several problems. 
Currently, all ports look open, which is scary, but the routing appears to 
work, so there are no services that shouldn't be exposed that are.

The first problem was that iptables package was upgraded after firehol, and so, 
there was a install.config file that pointed at iptables-legacy (and friends), 
that then didn't yet exist. I first changed that to point at iptables, before 
I discovered that the iptables package was upgraded and did have the legacy 
scripts, so I changed it back.

On startup, I see 
root at kanga:~# systemctl status firehol
‚óŹ firehol.service - Firehol stateful packet filtering firewall for humans
   Loaded: loaded (/lib/systemd/system/firehol.service; enabled; vendor 
preset: enabled)
   Active: active (exited) since Wed 2020-04-22 13:45:56 CEST; 37min ago
     Docs: man:firehol(1)
           man:firehol.conf(5)
  Process: 19825 ExecStart=/usr/sbin/firehol start (code=exited, status=0/
SUCCESS)
 Main PID: 19825 (code=exited, status=0/SUCCESS)

Apr 22 13:45:45 kanga systemd[1]: Starting Firehol stateful packet filtering 
firewall for humans...
Apr 22 13:45:46 kanga firehol[19825]: FireHOL: Saving active firewall to a 
temporary file...  OK
Apr 22 13:45:46 kanga firehol[19825]: FireHOL: Processing file '/etc/firehol/
firehol.conf'...
Apr 22 13:45:46 kanga firehol[19825]: WARNING 2@/etc/firehol/firehol.conf: 
version::  Running version 5 config. Update configu
Apr 22 13:45:55 kanga firehol[19825]:  OK  (1413 iptables rules)
Apr 22 13:45:56 kanga firehol[19825]: FireHOL: Fast activating new firewall...  
OK
Apr 22 13:45:56 kanga firehol[19825]: FireHOL: Saving activated firewall to '/
var/spool/firehol'...  OK
Apr 22 13:45:56 kanga systemd[1]: Started Firehol stateful packet filtering 
firewall for humans.


I have been running a version 5 config, and left IPv6 on my TODO list. The 
full config is a bit long, but I have stuff like 


version 5

dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 25
dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 143
dnat to 172.22.192.2 inface "eth0 tun_uio" proto tcp dport 993

[... some port definitions ... ]

interface "eth0 tun_uio" internet # 172.22.0.0/24
	  policy drop
	  protection strong
	  client all accept
	  server ssh accept
	  server ping accept
	  server http accept
 	  server openvpn accept
	  server https accept


router lan2internet inface eth1 outface "eth0 tun_uio"
       masquerade	    
       route all  accept

router evpn2internet inface tun_ext outface "eth0 tun_uio"
       masquerade	    
       route all  accept

router wifi2internet inface eth2 outface "eth0 tun_uio"
       masquerade	    
       route all accept
       protection all-floods 

router internet2dmz inface "eth0 tun_uio" outface eth3
       route smtp accept
       route imap accept
       route https accept
       route imaps accept
       route ident reject with tcp-reset
       protection strong

[... etc ...]

When I nmap from the outside, it appears that all ports are open. nmapping on 
the box itself against its external IP or localhost seems fine though.

I understand that the kernel now is encouraging nftables as a replacement of 
iptables, but I don't understand how the legacy applies, if that is a Debian-
specific thing, and if that has something to do with it. I've tried both. 

I have also tried to put in ipv4 before the dnat statements, interface4 and 
router4, but it didn't seem to make a difference for the problem.

It has been a while since I actually nmapped my network from the outside, so 
there is a scary possibility that it has been like that for a while. It is 
just my home network, so it is nothing big and important, but it is important 
to me and my family. I'm quite sure this is a new problem though. 

I'm at loss about what should be my next step though, ideas very much
appreciated!
Kjetil




More information about the Firehol-support mailing list