OpenWRT abets holes in firewall

Aus NOBAQ
Version vom 26. April 2012, 23:37 Uhr von Niki (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „Today I came across a catastrophic hole in my firewall (OpenWRT): I found out, that some external systems in my DMZ (which are not NATed!) have access to internal…“)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springenZur Suche springen

Today I came across a catastrophic hole in my firewall (OpenWRT): I found out, that some external systems in my DMZ (which are not NATed!) have access to internal servers to which they should not have.

After some research, I found the following entries:

# iptables -n -v -L zone_wan_forward
   0     0 ACCEPT     tcp  --  *      *       221.187.78.146       192.168.200.121
   0     0 ACCEPT     tcp  --  *      *       157.82.13.70         192.168.200.121
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.116
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.200.1
   1    64 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.200.121

Clearly, this should not happen, since they effectively let all packets from WAN to the internal servers (e.g. 192.168.200.121) through! Thanks to NAT, this did not pose a threat from the internet. However, should a server in the DMZ be compromised, this would be a desaster.

Some time later, I found the reason: the redirect entries from /etc/config/firewall, like:

config 'redirect'
       option 'src' 'wan'
       option '_name' 'donkey1'
       option 'proto' 'tcpudp'
       option 'dest_ip' '192.168.200.116'
       option 'src_dport' '1214'

This lets OpenWRT write the DNAT rules correctly but additionally creates an ordinary mangle entry. Since the destination port is missing, the malicious wildcard rules are creates. The correct entry therefore is:

config 'redirect'
       option 'src' 'wan'
       option '_name' 'donkey1'
       option 'proto' 'tcpudp'
       option 'dest_ip' '192.168.200.116'
       option 'src_dport' '1214'
       option 'dest_port' '1214'

Using luci, always explicitely pass the destination port although it says that it is optional!!!