Firewall rules not protecting webproxy

nobillgates · August 22, 2015, 8:51pm

I finally managed to get webproxy working reasonably well on my hosted VPS, when I notice in the access logs, and SARG reports I subsequently installed to get a handle on the extent of the problem, that my server was being used by about 114 unauthorised distinct IP addresses.

Although the majority seem to be benign and low volume, they are using my bandwidth, for which I pay!

I had already set up firewall rules to restrict access to my local public IP address (dynamic, hence the CIDR for my whole ISP address range), but they do not appear to be working.

I need only webroxy and SSH access, so here is the bulk of my set commands:

[…]
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name PROD default-action ‘drop’
set firewall name PROD rule 1 action ‘accept’
set firewall name PROD rule 1 state established ‘enable’
set firewall name PROD rule 1 state related ‘enable’
set firewall name PROD rule 2 action ‘drop’
set firewall name PROD rule 2 log ‘enable’
set firewall name PROD rule 2 state invalid ‘enable’
set firewall name PROD rule 100 action ‘accept’
set firewall name PROD rule 100 log ‘enable’
set firewall name PROD rule 100 protocol ‘icmp’
set firewall name PROD rule 220 action ‘accept’
set firewall name PROD rule 220 destination port ‘SSH_PORT,WEBPROXY_PORT’
set firewall name PROD rule 220 log ‘enable’
set firewall name PROD rule 220 protocol ‘tcp’
set firewall name PROD rule 220 source address ‘LOCAL_PUBLIC_IP/CIDR’
set firewall name PROD rule 9999 action ‘drop’
set firewall name PROD rule 9999 log ‘enable’
set firewall name PROD-PROD default-action ‘drop’
set firewall name PROD-PROD rule 1 action ‘accept’
set firewall name PROD-PROD rule 1 state established ‘enable’
set firewall name PROD-PROD rule 1 state related ‘enable’
set firewall name PROD-PROD rule 2 action ‘drop’
set firewall name PROD-PROD rule 2 log ‘enable’
set firewall name PROD-PROD rule 2 state invalid ‘enable’
set firewall name PROD-PROD rule 9999 action ‘drop’
set firewall name PROD-PROD rule 9999 log ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces dummy dum1 address ‘10.10.10.1/24’
set interfaces dummy dum1 description ‘LAN’
set interfaces ethernet eth0 address ‘VPS_PUBLIC_IP’
set interfaces ethernet eth0 description ‘WAN’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 firewall in name ‘PROD’
set interfaces ethernet eth0 hw-id ‘MAC_ADDRESS’
set interfaces ethernet eth0 smp_affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces loopback ‘lo’
set service https http-redirect ‘enable’
set service ‘lldp’
set service ssh port ‘SSH_PORT’
set service webproxy cache-size ‘1000’
set service webproxy default-port ‘WEBPROXY_PORT’
set service webproxy listen-address ‘VPS_PUBLIC_IP’
set system config-management commit-revisions ‘20’
set system gateway-address ‘GATEWAY_IP’
set system host-name ‘HOSTNAME’
set system login user USER authentication encrypted-password ‘blahblahblah’
set system login user USER level ‘admin’
set system name-server ‘93.93.128.2’
set system name-server ‘208.67.222.222’
set system name-server ‘208.67.220.220’
set system ntp server ‘0.pool.ntp.org’
set system ntp server ‘1.pool.ntp.org’
set system ntp server ‘2.pool.ntp.org’
set system syslog global facility all level ‘notice’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘Europe/London’
set zone-policy zone PROD default-action ‘drop’
set zone-policy zone PROD interface ‘eth0’
[…]

I realise some of the commands are redundant, such as those for dum1 and firewall ruleset PROD-PROD, but as far as I can tell, everything controlling incoming traffic on eth0 is correct - or is it?

There is only one interface, eth0, so it should be simple, should it not? I am restricting only incoming. Outgoing all works as expected - unfiltered - and everything operates well as a caching proxy. Too well, at the moment! ;-}

What is even more worrying is that I chose obscure ports for both webproxy and ssh but webproxy seems to be accepting anything that comes in. Even if the firewall was not filtering, surely webproxy should not be accepting everything? I find it hard to believe so many would-be attackers found the port only seconds after I set it!

I could not find any logs for firewall to troubleshoot further. I tried:

show log firewall name PROD

but it was empty

Does this mean there are no logs or this feature is not available?

MTIA

;-}
P

jl3128 · August 22, 2015, 11:03pm

when you use IN and OUT applied to interfaces, the interesting traffic they work against is traffic being routed through the router. In this case the traffic’s destination is the router itself. Look at the firewall LOCAL keyword to inspect traffic that is destined for the router (i.e. ssh traffic and webproxy traffic)

nobillgates · August 23, 2015, 10:38am

Hi jl3128,

What can I say? Doh! How did I miss that? I have been too long away from cli. I have been spoilt by GUIs and this is the result.

You are absolutely right. I added a few local rules, assigned the ruleset to eth0 and Robert’s your mother’s brother. No more Mr Nice Guy. I can see the ruleset dropping packets in the log and webproxy is servicing only the addresses I set. Traffic is zero when I am not using it.

Thank you very much.

Perfick!

;-}
P