Adamm firewall - proper config

[perkins1724]

I'm hoping for some assistance with the proper config of the Adamm firewall for my specific home setup.

I have installed and run for a couple of days and just let it do its default out-of-the-box thing (no other setup than install / run). But after a couple of days it is clear I need to do some better setup. Using the Alien Vault pages I can see it has autobanned some nasties. But I am also blocking IP's that Alien Vault have placed on their whitelist and am blocking a bunch of stuff that seems to have stopped my email working.

So onto some specific questions:
1) Is it possible to download the Alien Vault whitelist and import that straight into Adamm firewall as setup shortcut starting point?
2) Are there some settings that I can add at the start to allow my isp email or is it best to just keep reviewing adamm firewall status and check / unblock / unban as appropriate?
3)a) I have a small number of websites that I host via ports 80 and 443, so unfortunately pretty much anything goes on those two. What config changes do I need to make to allow them to still work?
3)b) It would be nice if google/bing/search engines would come and index my websites so that one day they just might actually show in a search result. Any recommended changes to ensure access for the "good" (cough cough) searchbots?
4) I run Plex Media Server so port 32400 was my number one most attacked port. What settings should I make to keep Plex running?
5) I am in the process of setting up openvpn connections for my mobile devices for when I am away from home (in lieu of opening a port for ssh connections to my home machines). Any recommended settings so that openvpn remains permitted?
6) Plex, Openvpn, etc tend to have default port (32400, 1194, etc). Would it be considered good practice to push them onto something non-standard (and therefore doing that now before I setup the adamm firewall) or is running non-standard ports just making life hard for myself?
7) Is the answer to questions 2 though 6 to just "sh /jffs/scripts/firewall whitelist port 80|443|465|587|993|1194|32400"? Or is that overkill and dangerous?

A lot of questions, but if anyone has even just a few quick pointers / tips they would be greatly appreciated.

 

[Adamm]

Alien Vault have placed on their whitelist

Whats the link to said whitelist you are referring to? Please also note that the banmalware feature in particular gets its IP lists from a number of providers.

blocking a bunch of stuff that seems to have stopped my email working

The easiest way to find IP's being blocked that particular applications/services may need is to refer to the following guide and whitelist them accordingly.

I have a small number of websites that I host via ports 80 and 443, so unfortunately pretty much anything goes on those two.

Are you implying that all traffic to these websites are being autobanned? If so please post me a log snippet.

Any recommended changes to ensure access for the "good" (cough cough) searchbots?

I have't tested this myself, but it is possible that spiders could get flagged by the routers SPI firewall for having an invalid connection state (which would be the case regardless of the script or not). Its also hard to say if any spiders appear on any of the blacklists imported. That being said if you found a IP list of spiders (and know they are being blocked in general) you could import it to the whitelist to bypass this measure.

I run Plex Media Server so port 32400 was my number one most attacked port. What settings should I make to keep Plex running?

I think the real question is, is legitimate traffic being banned, or just bots who are scanning for open ports to attack?

I am in the process of setting up openvpn connections for my mobile devices for when I am away from home (in lieu of opening a port for ssh connections to my home machines). Any recommended settings so that openvpn remains permitted?

As above, you would need to test if legitimate traffic is being blocked before implementing a potential solution

Plex, Openvpn, etc tend to have default port (32400, 1194, etc). Would it be considered good practice to push them onto something non-standard (and therefore doing that now before I setup the adamm firewall) or is running non-standard ports just making life hard for myself?

Default ports will have the same affect as non standard ports so this won't make any difference.

Is the answer to questions 2 though 6 to just "sh /jffs/scripts/firewall whitelist port 80|443|465|587|993|1194|32400"? Or is that overkill and dangerous?

This command simply whitelists all traffic autobanned on these ports, I don't think its an appropriate solution in this case as you're bound to whitelist non legitimate traffic which was scanning on these ports. Once you provide the information above we can work out a potential solution (I have one in mind but will wait for log snippets to make sure its accurate)

 

[perkins1724]

Whats the link to said whitelist you are referring to?

This was one of the IP's that was blocked (not banned IIRC, just blocked). On the bottom right of the page it has "Validation: Whitelisted IP: contained in 207.46.0.0/19". I tried to find a downloadable list that perhaps contained all such validations but couldn't find anything. Probably good chance that the list belongs to a paid service if it exists at all but I am in favour of good shortcuts where possible so decided to ask about it.

Are you implying that all traffic to these websites are being autobanned? If so please post me a log snippet.

No, didn't intend to imply that, sorry I worded badly. What I meant to say is that given I host websites I maybe don't have any other choice other than to let the nasties in with the genuine people at least as far as port 80 and 443 are concerned. If they are port scanning any other port in addition to 80 / 443, doing other suspicious / nasty things, etc then absolutely they are fair game for a block / ban.

I think the real question is, is legitimate traffic being banned, or just bots who are scanning for open ports to attack?

I think all the bans were fine. There were two IP's that were flagged as known bad on AlienVault so that was straight forward. A couple of Prague region IP's are highly suspicious, can't see any reason someone from that region would be interested in anything I have. But an IP from the US or something might (conceivably?) just be someone security conscious using a vpn? At this stage I am happy to assume the bans were correct.

It is the blocked traffic that I am more uncertain about. For example the Microsoft IP above, I wondered whether maybe that was a bing spider or equivalent? The AlienVault page doesn't say anything about the IP other than "Redmond, United States, AS8075 Microsoft Corporation" and then the Whitelist comment. I assume bing / google searchbots are "well behaved" (whatever that means in practice) but in practice I have no idea how they behave or what is even considered "bad behaviour". I guess as a minimum I would assume bing / google web indexing spiders would stick to ports 80 /443 and not port 25 but I don't know.

One of the blocked IP's had a domain of mail.my-isp-name and the owner as my-isp-name on AlienVault. Is that enough to assume it actually is my isp providers email server or email related infrastructure?

I didn't check the port 32400 thoroughly, so I don't know whether the 52 attacks on port 32400 were 52 bots targeting a well known / common port or a single plex server trying to connect 52 times.

I guess my original question would have been better worded as this: - given I have a few known services on a few known ports (like website/443, plex/32400, email/993) should I be doing "something" to preconfigure the firewall (like "sh /jffs/scripts/firewall whitelist port 443|993|32400") or is the correct approach to monitor the block/ban list and unblock/unban/whitelist IPs/domains when deemed appropriate?

 

[perkins1724]

Ok I may have just found something highly relevant.

I have custom DHCP allocations for wireless connections, in particular different guest wireless networks get different allocations. For example my main home network is on 192.168.1.XXX whereas one of the guest wireless networks is on 192.168.101.YYY:

#ifconfig
.....
br0       Link encap:Ethernet  HWaddr XX:XX:XX:XX:61:50
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
.....
wl0.1     Link encap:Ethernet  HWaddr XX:XX:XX:XX:61:51
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0

One of the kids just picked up an ipad connected to the above guest network (wl0.1) and the firewall started to block / ban stuff from Apple, Cupertino, United States and the kiddy programs wouldn't load.

It then occurred to me that my phone - which I do a lot of my stuff from - was also connected to that guest network from a few days ago.

On a hunch I have run:

sh /jffs/scripts/firewall unban all
sh /jffs/scripts/firewall whitelist remove
sh /jffs/scripts/firewall stats reset

Which I think should reset the adamm firewall to a pristine clean state, then:

sh /jffs/scripts/firewall whitelist 192.168.101.0/24

The ipad kiddy programs started working and I think this may have been the issue from the very beginning? Anything I accessed from the guest network got blocked? Or do I have it all so very wrong?

 

[Adamm]

This was one of the IP's that was blocked (not banned IIRC, just blocked). On the bottom right of the page it has "Validation: Whitelisted IP: contained in 207.46.0.0/19"

Okay I understand now, I assume they have an internal whitelist of IPs from reputable providers to prevent false positives (they use their own IP list in their paid service). I created a new command to help with this situation and can see the IP in this example isn't on any of the lists provided;

sh /jffs/scripts/firewall stats search malware 207.46.10.10

So in this example if it was being blocked and showed up in logs I'd assume the SPI firewall picked up an invalid packet state (basically the host sending an unsolicited connection) and added it to the blacklist. The only way to avoid such an incident somewhat would be whitelist an offending IP like such or run the firewall in noauto mode (meaning the firewall blocks IP's still of this nature but won't permanently ban them, only drop the connection) which is the default action of the firewall.

What I meant to say is that given I host websites I maybe don't have any other choice other than to let the nasties in with the genuine people at least as far as port 80 and 443 are concerned.

I'm unsure if genuine traffic would be flagged for Blacklisting in this situation, as it stands there is a rule in place for traffic on source ports 80,443 which prevents, for example if you are visiting a website and it sends an invalid packet for whatever reason the website being blacklisted, instead it will only have the connection dropped in that instance.

If you do experience legitimate traffic being banned please send me a log snippet, as this may be considered a destination port so we would have to add a very similar custom rule to cover that also, but I do not have any way to test this personally.

I am happy to assume the bans were correct.

In 99% of cases the bans are fairly accurate and are listed on other reputation databases, its actually quite surprising how many attempts there are in a given day (in the last 16 hours I've accumulated 1500 connections from 409 unique IP's, only 22 were autobans )

I guess as a minimum I would assume bing / google web indexing spiders would stick to ports 80 /443 and not port 25 but I don't know.

That's a pretty good assumption, I don't know for certain but that would also be my guess. Meaning the said rule I spoke of above should cover it, but we will need logs of a illegitimate ban if it occurs to be positive.

I didn't check the port 32400 thoroughly, so I don't know whether the 52 attacks on port 32400 were 52 bots targeting a well known / common port or a single plex server trying to connect 52 times.

From my understanding Plex is exposed to WAN on port 32400, so its a pretty safe assumption these were bots just scanning for open ports to probe, if you use;

sh /jffs/scripts/firewall stats search port 32400

I've just now added some extra information to help with breaking down the data, which should now look like this;

Port 1433 First Tracked On May 28 00:54:47
Port 1433 Last Tracked On May 28 16:50:52
74 Attempts Total
70 Unique IPs
0 Autobans From This Port

So in this example, you can see all my blocks on port 1433 were from the banmalware lists and not autobans so its pretty safe to assume it was malicious traffic.

Again, if you do find a legitimate IP being blocked, get me a log snippet and we can work from there.

One of the blocked IP's had a domain of mail.my-isp-name and the owner as my-isp-name on AlienVault. Is that enough to assume it actually is my isp providers email server or email related infrastructure?

If it belongs to your ISP, I'd assume its a false positive, you would need to need to use;

sh /jffs/scripts/firewall stats search IP 8.8.8.8

Then look at the first packet blocked to see if its a new ban (if the first block is RAW that means it wasn't an autoban and was probably done by banmalware)

Then you can see if it appears on any malware list (and look at what type of list its on) by using;

sh /jffs/scripts/firewall stats search malware 8.8.8.8

Now that being said, if it was an autoban, you would need to simply whitelist it. Some applications/devices tend to flag false positives, there's no easy way around because of the nature of the firewall rules it but its pretty uncommon.

I have custom DHCP allocations for wireless connections

I never thought to whitelist guest IP range as I do the regular, thanks for pointing this out. This is an easy fix (and oversight) on my end. Can you please post the output of the following command;

nvram show | grep 192.168.101

I'm fairly sure the value I'm looking for is lan1_ipaddr=, but lets be certain before I push the fix.



Hope this covers everything!

 

[perkins1724]

nvram show | grep 192.168.101

I'm fairly sure the value I'm looking for is lan1_ipaddr=, but lets be certain before I push the fix.

Adamm thankyou greatly for your awesome support with this! Here is the output of the requested command (from an RT-AC87U):

# nvram show | grep 192.168.2.1
lan1_ipaddr=192.168.2.1
lan1_gateway=192.168.2.1
size: 50220 bytes (15316 left)

I will work through the rest of your response and give a proper follow-up when I can!

 

[Adamm]

Here is the output of the requested command

Sorry can you post the edited command from my post, I mistakenly used the wrong IP when I initially posted it.

nvram show | grep 192.168.101

 

[perkins1724]

Sorry can you post the edited command from my post

That command returns blank:

# nvram show | grep 192.168.101
size: 50151 bytes (15385 left)

The 192.168.101 comes from a custom dnsmasq.conf which was intended to put the 6 guest wifi networks (3 x 2.4GHz, 3 x 5GHz) on their own subnets to isolate them both from each other and the main network. It works for the 2.4GHz networks but the 5GHz networks seem to be treated differently internally on the RT-AC87U and all the 5GHz traffic just appears on one of the eth interfaces (eth0 IIRC).

 

[Adamm]

The 192.168.101 comes from a custom dnsmasq.conf which was intended to put the 6 guest wifi networks (3 x 2.4GHz, 3 x 5GHz) on their own subnets to isolate them both from each other and the main network. It works for the 2.4GHz networks but the 5GHz networks seem to be treated differently internally on the RT-AC87U and all the 5GHz traffic just appears on one of the eth interfaces (eth0 IIRC).

Gotcha, I guess for the time being you will just have to whitelist this manually (which you already did). I'll think about how to detect more unique setups like yours in future updates.

 

[perkins1724]

Gotcha, I guess for the time being you will just have to whitelist this manually

except it hasn't seemed to help. I've stopped using the guest network (and added the manual whitelist 192.168.101.0/24 anyway) but in the last hour the firewall has flagged 508 attacks from port 993 (email) and 251 attacks from port 143 (also email) and all my autobans seem to be Microsoft / Google / email provider. Is my ISP just very badly behaved? This is my current stats output:

Debug Data Detected in /jffs/skynet.log - 186.8K
Monitoring From May 28 19:41:32 To May 28 20:28:52
776 Total Connections Detected
6 Unique IP Connections
6 Autobans Issued

Top 10 Ports Attacked; (Torrent Clients May Cause Excess Hits In Debug Mode)
20x https://www.speedguide.net/port.php?port=51739
18x https://www.speedguide.net/port.php?port=53309
18x https://www.speedguide.net/port.php?port=53261
18x https://www.speedguide.net/port.php?port=53260
18x https://www.speedguide.net/port.php?port=52989
18x https://www.speedguide.net/port.php?port=52988
18x https://www.speedguide.net/port.php?port=52590
18x https://www.speedguide.net/port.php?port=52589
18x https://www.speedguide.net/port.php?port=52401
18x https://www.speedguide.net/port.php?port=52400

Top 10 Attacker Source Ports;
508x https://www.speedguide.net/port.php?port=993
251x https://www.speedguide.net/port.php?port=143
1x https://www.speedguide.net/port.php?port=65234
1x https://www.speedguide.net/port.php?port=63179
1x https://www.speedguide.net/port.php?port=62183
1x https://www.speedguide.net/port.php?port=51899
1x https://www.speedguide.net/port.php?port=50307
1x https://www.speedguide.net/port.php?port=46298
1x https://www.speedguide.net/port.php?port=41560
1x https://www.speedguide.net/port.php?port=37024

Last 10 Unique Connections Blocked;
https://otx.alienvault.com/indicator/ip/207.46.11.202
https://otx.alienvault.com/indicator/ip/108.177.97.109
https://otx.alienvault.com/indicator/ip/64.233.187.109
https://otx.alienvault.com/indicator/ip/40.100.144.229
https://otx.alienvault.com/indicator/ip/40.100.151.21
https://otx.alienvault.com/indicator/ip/203.16.214.182

Last 10 Autobans;
https://otx.alienvault.com/indicator/ip/207.46.11.202
https://otx.alienvault.com/indicator/ip/108.177.97.109
https://otx.alienvault.com/indicator/ip/64.233.187.109
https://otx.alienvault.com/indicator/ip/40.100.144.229
https://otx.alienvault.com/indicator/ip/40.100.151.21
https://otx.alienvault.com/indicator/ip/203.16.214.182

Last 10 Unique HTTP(s) Blocks;

Top 10 HTTP(s) Blocks;

Top 10 Attackers;
693x https://otx.alienvault.com/indicator/ip/203.16.214.182
48x https://otx.alienvault.com/indicator/ip/108.177.97.109
17x https://otx.alienvault.com/indicator/ip/64.233.187.109
15x https://otx.alienvault.com/indicator/ip/40.100.151.21
2x https://otx.alienvault.com/indicator/ip/40.100.144.229
1x https://otx.alienvault.com/indicator/ip/207.46.11.202

But for some reason I show zero attempts (and zero autobans) on port 993:

# sh /jffs/scripts/firewall stats search port 993
#!/bin/sh
.....
Debug Data Detected in /jffs/skynet.log - 208.5K
Monitoring From May 28 19:41:32 To May 28 20:33:39
866 Total Connections Detected
7 Unique IP Connections
7 Autobans Issued

Port 993 First Tracked On
Port 993 Last Tracked On
0 Attempts Total
0 Unique IPs
0 Autobans From This Port

First Attack Tracked On Port 993;

10 Most Recent Attacks On Port 993;

And zero attempts (and zero autobans) on port 143:

# sh /jffs/scripts/firewall stats search port 143
#!/bin/sh
....

Debug Data Detected in /jffs/skynet.log - 208.5K
Monitoring From May 28 19:41:32 To May 28 20:33:39
866 Total Connections Detected
7 Unique IP Connections
7 Autobans Issued

Port 143 First Tracked On
Port 143 Last Tracked On
0 Attempts Total
0 Unique IPs
0 Autobans From This Port

First Attack Tracked On Port 143;

10 Most Recent Attacks On Port 143;

I'm not quite sure I understand how it all ties together. Maybe my networks is already compromised in some fashion? For now my plan is to just manually review the autoban list as it builds up over time and whitelist them where I think they are genuine (using whitelist ranges where suggested by AlienVault). I won't whitelist any ports and will see how things look in a few days.

Adamm thanks again for all your help with this you have been quite supportive!

 

[perkins1724]

.....and just as I finished that post off I saw this which looks very much (to me) like a legitimate (maybe?) website browser (tcp on port 443). Is this log information of any use to comment on what might be going wrong or what I have done wrong? If I am blocking traffic to my websites I'm going to get into a lot of trouble.

# cat /jffs/skynet.log | grep 122.105.136.103
May 28 20:38:33 kernel: [BLOCKED - NEW BAN] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=46885 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3B6271AA4AD32)
May 28 20:38:34 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=9367 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3B9261AA4AD32)
May 28 20:38:35 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=57072 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3BE5C1AA4AD32)
May 28 20:38:38 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=46669 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3C8001AA4AD32)
May 28 20:38:44 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=26540 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3DA801AA4AD32)
May 28 20:39:01 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=12773 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF3FEB81AA4AD32)
May 28 20:39:14 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=63177 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF432601AA4AD32)
May 28 20:44:26 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=33668 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF498E81AA4AD32)
May 28 20:52:49 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=19150 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF4FF701AA4AD32)
May 28 21:05:44 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=59127 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF565F81AA4AD32)
May 28 21:06:35 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=13529 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF5CC801AA4AD32)
May 28 21:07:02 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=64077 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF633091AA4AD32)
May 28 21:07:12 kernel: [BLOCKED - RAW] IN=ppp0 OUT= MAC= SRC=122.105.136.103 DST=59.167.94.98 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=10026 DF PROTO=TCP SPT=49698 DPT=443 SEQ=2095731543 ACK=3443593548 WINDOW=8187 RES=0x00 ACK FIN URGP=0 OPT (0101080A1AF65B151AA4AD32)

 

[Adamm]

Okay this gives me a much better idea of whats going on. First of all please do;

sh /jffs/scripts/firewall update -f

I had a typo in the autoban counter, this will now show correct stats.

Now as for your situation, I did write a post just now about how to fix each individual issue with IPTables rules, but I feel like because you have so many third party services running on your router, it will just be easier if you run the firewall in noauto mode and stick to using a pre-defined blacklist and only dropping invalid packets rather then blacklisting. There is so much going on including a website that I am sure is important to you, you don't want to run the risk of banning legitimate traffic as I'm sure there's edge cases we may overlook.

You can do this via the install command. After doing so you will also want to "unban all" and regenerate your blacklist.

 

[perkins1724]

Done, thanks Adamm. Will monitor for the next few days and report back if I have any issues.

 

[perkins1724]

Hi Adamm, firstly is it fine for me to continue this thread or would you prefer me to move to the main bulk thread?

I'll stay here for this post, just a quick update. I ended up turning the autoban back on and started working through what was happening, how your code worked and what it all meant. Most (say 55%) of my issues were related to bans on email ports. It looks like you have caught that one now so I will try and merge my local changes with your updates and will let you know if that turns up anything new.

The next 40% seem to be that I just seem to occasionally get invalid packets on valid connections. I can't really see why although most seem to be ACK RST so I presume something along the lines of an initial ACK RST being sent and the connection getting closed immediately so the reply ACK RST is automatically invalid. I tried just dropping those packets instead of banning but that still caused issues with some stuff on the kids iPads so I ended up adding code to accept packets that were ACK RST or ACK FIN or ACK PSH FIN etc. That has seemed to work for me.

The other 5% are related to services I run like hosting websites and running plex. I formulated some code to add what I called ServicePorts and structured it conceptually as similar as I could to your blacklist implementation. Would you be interested in me posting some code snippets?

Thanks again for your assistance and for creating / maintaining this program it is greatly appreciated!

 

[Adamm]

Most (say 55%) of my issues were related to bans on email ports. It looks like you have caught that one now

Yes the script now only drops invalid connections on source ports 80,443,143,993,110,995,25,465

The next 40% seem to be that I just seem to occasionally get invalid packets on valid connections.

All this is default behaviour by the routers built in SPI rules. Being that its not application level filtering or DPI it can only be so smart. Feel free to post your changes but I'm not sure if I want to stray from the default behaviour too much.

The other 5% are related to services I run like hosting websites and running plex. I formulated some code to add what I called ServicePorts and structured it conceptually as similar as I could to your blacklist implementation. Would you be interested in me posting some code snippets?

Feel free and I'll take a look, worst case situation you can just fork the code on github as its a very edge case for users to be running a webserver etc.

 

[perkins1724]

All this is default behaviour by the routers built in SPI rules. Being that its not application level filtering or DPI it can only be so smart. Feel free to post your changes but I'm not sure if I want to stray from the default behaviour too much.

This is the one that has me scratching my head the most. With the default behaviour i still get autobans on Microsoft / Apple / Google. I would have thought that others would be getting this too, oh well.

Feel free and I'll take a look, worst case situation you can just fork the code on github as its a very edge case for users to be running a webserver etc.

Yeah I have forked a copy now and will gradually bring my changes up to date. My intention will be just to follow yours and tack in the extra features / tweaks that I want / need. Hope that is ok.

 

[Adamm]

This is the one that has me scratching my head the most. With the default behaviour i still get autobans on Microsoft / Apple / Google. I would have thought that others would be getting this too, oh well.

I occasionally do too, but not to the point where it breaks anything so its somewhat a small concern. But I'll try debug it a little further at some point and see if we your changes affect legitimate blocks.

Yeah I have forked a copy now and will gradually bring my changes up to date. My intention will be just to follow yours and tack in the extra features / tweaks that I want / need. Hope that is ok.

I had a look at some of your changes and commented a few pointers. Also I don't think your outbound blocking implementation works, you're trying to drop outgoing connections from the wrong chain (PREROUTING vs OUTPUT). I added something similar to the main branch regardless so I'll leave that up to you to merge.

I also saw your commit about ipset saves not fully being loaded. This was a side effect of adding USB support, firewall-start is called before the USB is mounted so when IPSet tries to restore the save file it doesn't exist yet so it goes ahead and creates everything from scratch. I attempted to alleviate this by adding a 10 second sleep timer in firewall-start before skynet is executed. I also re-added the ignore flag (!) assuming this "cooldown" isn't enough for some setups so that the IP's will be forcefully added each time firewall-start is called. I had removed the flag at one point but the reasons then don't really apply anymore as we save more frequently when modifying the contents.


EDIT; Turns out my Outbound blocking was wrong too, am only blocking packets sourcing from the router itsself, rewriting it now

 

[perkins1724]

But I'll try debug it a little further at some point and see if we your changes affect legitimate blocks.

To be honest I think my changes will probably affect some legitimate blocks. Probably 4 in 5 I can look at them and say yes that is clearly a false positive (for my / my households usage) and most of those are ACK RST. But for that other 1 in 5 its not so clear. Is it malicious or is it just one of the apps updating? At which point it is a question of block now and unblock later if something breaks or leave it be. Clearly the block now is the safer option. I might setup a 24hr packet capture and wireshark and see if I can chase one or two of them through to try and understand exactly what it might have been.

Also I don't think your outbound blocking implementation works, you're trying to drop outgoing connections from the wrong chain (PREROUTING vs OUTPUT). I added something similar to the main branch regardless so I'll leave that up to you to merge.

I agree OUTPUT rather than PREROUTING seems to be the right place. It just didn't work for me in OUTPUT. I'm not sure whether its because I would need to add some SNAT in addition to the DNAT or whether stuff is getting caught by another rule or what the issue is. Once I got it working reliably with the 403 return I just kind of left the rules in PREROUTING. I'll compare mine to your main branch and see if I can figure it out.

 

[Adamm]

I agree OUTPUT rather than PREROUTING seems to be the right place. It just didn't work for me in OUTPUT.

I ended up figuring it out, the output chain was actually also wrong to a degree. When blocking in output it only affects packets coming from the router itself. To block data from clients on the network you have to filter dst IPs on the br0 interface in the PREROUTING table. I updated the main codebase accordingly. I'll need to look into the whitelist rules for br0, as it's matching almost every packet passing through because of the local IPs, not sure if this will cause any noticeable performance loss.

I also added in your tcpflag and icmp code 3/11 changes for the time being. They matched up pretty well with all the collected false positive data I had (uTorrent is great for generating it). I'll look into it more this week and track down case by case see if we need to make any adjustments so real bans aren't being ignored.

Also I did some long overdue code reorganising today, so it's probably easier if you copy and paste your changes in to a fresh copy to update your fork as I'm not sure how git will handle it lol.