Problem with firewall (not stateful?)

Post Reply
alex8787
Posts: 4
Joined: Fri May 04, 2012 2:52 am

Problem with firewall (not stateful?)

Post by alex8787 »

I've set up my 7800N and it is connecting to the internet OK, but I'm having some trouble configuring a simple firewall. I'm using firmware 1.06e(UK).

After some 'forward' rules for certain sites and ports that I want to allow, I have a 'drop' rule that blocks incoming packets from everywhere else. The trouble is that when I try to connect to a website, this 'drop' rule blocks the communication and I can't receive the web page.

I understand that this is not meant to happen because the firewall should be 'stateful' and allow incoming packets that are part of a 'conversation' initiated by my machine. But this firewall seems to drop any incoming packets regardless of state.

I am definitely connected to the internet, and DNS is working fine, so that isn't the problem. If I type 'host http://www.google.com' from the command line, then it returns a list of IP addresses as it should ('host' being the Linux way of asking for DNS). And if I delete the drop rule, then the problem goes away, and I can browse the internet without any problem.

If I add logging to the drop rule, then when I try to access a webpage I get entries like this:

Code: Select all

  May 04 02:51:15   home user.info kernel: PacketFilter: Drop TCP packet from [ppp_0_0_38_1] 74.125.132.94:80 to 192.168.0.50:33424 
  May 04 02:51:19   home user.info kernel: PacketFilter: Drop TCP packet from [ppp_0_0_38_1] 74.125.132.94:80 to 192.168.0.50:33424 
  May 04 02:51:19   home user.info kernel: PacketFilter: Drop TCP packet from [ppp_0_0_38_1] 74.125.132.94:80 to 192.168.0.50:33424 
  May 04 02:51:21   home user.info kernel: PacketFilter: Drop TCP packet from [ppp_0_0_38_1] 173.194.34.128:443 to 192.168.0.50:41476
I've attached a picture below of a simple version of my firewall setup without any forward rules: just the problematic drop rule, followed by the compulsory Default rule.


Thanks in advance for any help.
You do not have the required permissions to view the files attached to this post.
Top
billion_fan
Posts: 5398
Joined: Tue Jul 19, 2011 4:30 pm

Re: Problem with firewall (not stateful?)

Post by billion_fan »

There is no need to add a rule to block all incoming connections this is on by default.

You can test this using sheildsup.
Top
alex8787
Posts: 4
Joined: Fri May 04, 2012 2:52 am

Re: Problem with firewall (not stateful?)

Post by alex8787 »

Thank you for your reply. The firewall works slightly differently from how I expected, in that it applies to stateful packets (those matching a known active connection that was initiated locally), as well as packets from new connections.

As far as I can tell, the way to get the router to accept new connections is to set up a suitable entry in the Virtual Server section, after which the packet is passed down the firewall. That means that the firewall then applies to both stateful and new packets.

So now my question is how do you
(i) Allow any stateful packet through, and
(ii) Allow new ssh connections from a range of external IP addresses. E.g., from 100.120.140.1 - 100.120.140.255 and from 200.120.140.1 - 200.120.140.255

The long way to achieve (i) and (ii) is to have an empty firewall, and set up 255*2=510 individual Port Mapping rules. (As far as I can see, port mapping doesn't work with an IP range.)

Another way would be to make your computer a DMZ. But then you'd have to block out all other IP addresses and ports in the firewall. You could do this, but this would have the undesirable side-effect of blocking stateful packets.

I think I must be missing something, since I guess this is quite a normal thing to want to do.
(I wonder if there is some really detailed documentation somewhere about exactly what happens to a packet when it arrives at the WAN side of the router. The user manual leaves too many questions unanswered.)

Thanks again.
Top
alex8787
Posts: 4
Joined: Fri May 04, 2012 2:52 am

Re: Problem with firewall (not stateful?)

Post by alex8787 »

I think maybe my last question was too wordy.

The quick version is: how do you set up a firewall to allow a range of IP addresses to ssh into your computer, while still allowing normal web browsing etc.?

Thanks in advance for any answer.
Top
billion_fan
Posts: 5398
Joined: Tue Jul 19, 2011 4:30 pm

Re: Problem with firewall (not stateful?)

Post by billion_fan »

I'll run some tests on Monday morning (need access to another external IP), and post some screen shots for examples.
Top
billion_fan
Posts: 5398
Joined: Tue Jul 19, 2011 4:30 pm

Re: Problem with firewall (not stateful?)

Post by billion_fan »

Hi

I have attached my setup (for my example I was using VNC)

Please see the attached screen captures

1. Delete all other rules for firewall packet filtering section (this is to enusre you have internet access for normal browsing)
1a. Add a virtual server rule pointing to your internal IP and selecting your SSH port
2. Add a rule to allow SSH port as incoming with your internal, and add the external IP address you want to allow (Firewall >> packet filtering)
3. Make sure you add port 22 to to the internal port
4. Add another rule to block ssh connections as shown in the screen shot 02 drop incoming and add the port to the internal port section also adding your internal IP
5. Very important to make sure the drop rule is below the allowed rule as shown in the screen shots.

That should be it, now you have limited SSH connection via external IP's and the internal IP should also have access to the internet for normal web browsing

I hope this helps :D
You do not have the required permissions to view the files attached to this post.
Top
alex8787
Posts: 4
Joined: Fri May 04, 2012 2:52 am

Re: Problem with firewall (not stateful?)

Post by alex8787 »

Thank you very much for spending time making your detailed reply. I've tried what you said and it works!

I was curious about a couple of things:

(1) The port mapping page says "Port ranges forwarded internally will be the same as Externally." and forces the external port range to 22-22. I don't understand why it makes this restriction, and I would have expected it not to work since the remote computer can connect from any port. In reality it does all work, so that's great, it's just that I don't understand why!

(2) I suppose this method only works if your computer never chooses port 22 to connect out with, otherwise the return packets will be blocked. In your case, I guess you need your computer never to use a port from 5800-5900 to connect out on (I think this is called an ephemeral port). So in general I suppose we need to make sure that the port we use for a virtual server is not in the range of ephemeral ports that our OS uses (?). (This is different from how my last router/firewall worked, which didn't have a separate virtual server configuration and didn't send response packets down the firewall.)
Top
geektopia
Posts: 1
Joined: Mon May 28, 2012 6:10 am

Re: Problem with firewall (not stateful?)

Post by geektopia »

Thanks billion_fan, your detailed post fixed my similar issue.

I had previously been able to create a working SSH port forward from a specific external address but my previous block rule still allowed traffic from other addresses.

Following your detailed post showed the slight difference that made all the difference, cheers! :D
Top
Post Reply

Return to “7800/7800N/7800GZ”