Firewall not dropping

pigeon35 · April 12, 2023, 3:46pm

OpenWrt 22.03.2

Is their a priority to firewall rules which accept and those which drop?

I'm running Crowdsec + firewall-bouncer and have added manual bans on ip ranges such as:

cscli decisions add --range 147.78.103.0/24 --type ban --reason 'manual ban - email login' --duration 72h

However exim reject log has this entry, showing the ban did not work:

2023-04-12 09:52:08.854 [684] H=(WIN-CLJ1B0GQ6JP) [147.78.103.151]:63337 I=[my ip]:25 F=spameri@tiscali.it rejected RCPT spameri@tiscali.it: relay not permitted

/etc/config/firewall sections allowing smtp and pop

config rule
	option name 'Allow SMTP'
	list proto 'tcp'
	option target 'ACCEPT'
	option dest_port '25 587'
	option src '*'

config rule
	option target 'ACCEPT'
	option dest_port '995'
	option name 'Allow POP3s'
	option src '*'
	list proto 'tcp'

Is there a priority to the firewall rules? So could it be the "accept" are triggering true first?
Or is this more likely an issue with crowdsec instead perhaps.

If there is more info I can add, please say.

Thank you.

dave14305 · April 12, 2023, 3:55pm

These rules end up in the input chain, so the traffic would have to be intended for the router itself. Is that where you run the mail server?

Edit: I am not familiar with Crowdsec so my question might be silly.

pigeon35 · April 12, 2023, 4:33pm

Hi Dave,

Thanks for reply. Yes, mail server is on the router

dave14305 · April 12, 2023, 5:21pm

OK, I looked at the crowdsec-firewall-bouncer package and init script and I see it creates a separate table with an input chain/hook at a lower priority than fw4 input chain. So the results can be unexpected if fw4 allows the traffic, and crowdsec denies it.

Compare the rules and numeric priorities of the chains:

nft -n list chain inet fw4 input
nft -n list chain ip crowdsec input

pigeon35 · April 12, 2023, 7:39pm

root@Router:~# nft -n list chain inet fw4 input
table inet fw4 {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state 0x2,0x4 accept comment "!fw4: Allow inbound established and related flows"
		tcp flags 0x2 / 0x1,0x2,0x4,0x10 jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		tcp dport { 25, 587 } counter packets 498 bytes 27448 accept comment "!fw4: Allow SMTP"
		tcp dport 995 counter packets 831 bytes 48199 accept comment "!fw4: Allow POP3s"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "usb0", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
	}
}


root@Router:~# nft -n list chain ip crowdsec input
Error: No such file or directory
list chain ip crowdsec input
                       ^^^^^
root@Router:~# 


nft -n list table ip crowdsec

table ip crowdsec {
	set crowdsec-blacklists {
		type ipv4_addr
		flags timeout
		elements = { 1.0.171.2 timeout 4d7h1m9s290ms expires 4d5h15m10s60ms, 1.9.7.197 timeout 21h59m57s300ms expires 20h13m57s180ms,
			     1.9.70.26 timeout 6d22h59m57s280ms expires 6d21h13m58s650ms, 1.9.71.2 timeout 21h59m57s300ms expires 20h13m57s180ms,
			     1.9.78.242 timeout 6d22h59m57s280ms expires 6d21h13m58s660ms, 1.9.165.82 timeout 4d3h1m9s290ms expires 4d1h15m10s,
			     1.10.172.234 timeout 1d13h2m1s290ms expires 1d11h16m1s810ms, 1.10.211.15 timeout 1d4h2m1s290ms expires 1d2h16m1s740ms,
			     1.10.211.105 timeout 4d4h1m11s290ms expires 4d2h15m12s60ms, 1.11.62.185 timeout 6d22h59m57s280ms expires 6d21h13m58s570ms,
 223.240.96.1 timeout 378070s expires 371313s, 223.240.104.37 timeout 342069s expires 335312s,
			     223.240.117.24 timeout 298869s expires 292112s, 223.241.222.151 timeout 57721s expires 50963s,
			     223.247.145.225 timeout 601197s expires 594441s, 223.247.203.105 timeout 601197s expires 594441s }
	}

	chain crowdsec-chain {
		type filter hook input priority 0; policy accept;
		ip saddr @crowdsec-blacklists drop
	}
}

So both are Priority 0 ? And I should raise the crowdsec priority?

No mention here:

And here seems to indicate lowest priority first, ie -1 happens before 1
https://wiki.nftables.org/wiki-nftables/index.php?title=Configuring_chains&oldid=208#Base_chain_priority

pigeon35 · April 12, 2023, 8:00pm

Maybe its not yet possible to alter the priority from the crowdsec setup

github.com/crowdsecurity/cs-firewall-bouncer

feature-request: saner nftables chain priority and counter

opened 02:25PM - 01 Oct 22 UTC

closed 12:13PM - 06 Apr 23 UTC

zxyz

Hello, thanks for crowdsec and the bouncer. I have to two options I'd reall…y like to have configurable in nftables, Atm I work with "set-only: true" which is great but quite some work. ## chain priority The default created chains are e. g.: ``` chain crowdsec6-chain { type filter hook input priority filter; policy accept; ip6 saddr @crowdsec6-blacklists drop } ``` priority `filter`is "0" and this is the priority used by many people and FW frameworks. If two chains have the same priority in nftables it's not deterministic which is used first. E. g. sshguard therefore uses: ``` chain blacklist { type filter hook input priority filter - 10; policy accept; ip6 saddr @attackers drop } ``` to have its chains processes before the "normal" filter priority. Making the priority configurable and have it set to a imho saner default of e .g. "-10" would be great. This is not a security issue, because nftables behaves quite unintuitive if multiple chains are present with the same hook and family and "first-match" only applies for DROP rules (see https://github.com/openwrt/openwrt/issues/9981 for details). ## counter It'd be great to have the option to easily get counters for the drop rules: ``` - ip6 saddr @crowdsec6-blacklists drop + ip6 saddr @crowdsec6-blacklists counter drop ``` to see if a DoS is happening or things are out of normal but where no logging is needed. Thanks a lot!

pigeon35 · April 12, 2023, 8:39pm

Might have got the priority lowered:
EDIT: By that I mean, by going from priority 0 to -1, the -1 will happen before the 0. So setting crowdsec to -1, it should happen before my 0 accepts on ports 25, 587 and 995


/etc/init.d/crowdsec-firewall-bouncer stop
sleep 2
/etc/init.d/crowdsec stop
sleep 2
/etc/init.d/crowdsec start
sleep 4
/etc/init.d/crowdsec-firewall-bouncer start
sleep 2
nft delete chain ip crowdsec crowdsec-chain
nft delete chain ip6 crowdsec6 crowdsec6-chain
nft add chain ip crowdsec crowdsec-chain '{ type filter hook input priority -1; policy accept; }'
nft add chain ip6 crowdsec6 crowdsec6-chain '{ type filter hook input priority -1; policy accept; }'
sleep 2
nft add rule ip crowdsec crowdsec-chain iifname { usb0, pppoe-wan } ct state new ip saddr @crowdsec-blacklists log prefix \"crowdsec: \" counter drop
nft add rule ip6 crowdsec6 crowdsec6-chain iifname { usb0, pppoe-wan } ct state new ip6 saddr @crowdsec6-blacklists log prefix \"crowdsec: \" counter drop
sleep 2
/etc/crowdsec/ban_ip.sh


root@Router:/etc# nft list tables
table inet fw4
table ip crowdsec
table ip6 crowdsec6

root@Router:/etc# nft list table crowdsec
table ip crowdsec {
	set crowdsec-blacklists {
		type ipv4_addr
		flags timeout
	}

	chain crowdsec-chain {
		type filter hook input priority filter - 1; policy accept;
		iifname { "usb0", "pppoe-wan" } ct state new ip saddr @crowdsec-blacklists log prefix "crowdsec: " counter packets 0 bytes 0 drop
	}
}



root@Router:/etc# nft list chains
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
	}
	chain forward {
		type filter hook forward priority filter; policy drop;
	}
	chain output {
		type filter hook output priority filter; policy accept;
	}
	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
	}
	chain handle_reject {
	}
	chain syn_flood {
	}
	chain input_lan {
	}
	chain output_lan {
	}
	chain forward_lan {
	}
	chain helper_lan {
	}
	chain accept_from_lan {
	}
	chain accept_to_lan {
	}
	chain reject_to_lan {
	}
	chain input_wan {
	}
	chain output_wan {
	}
	chain forward_wan {
	}
	chain accept_to_wan {
	}
	chain reject_to_wan {
	}
	chain drop_from_wan {
	}
	chain input_guest {
	}
	chain output_guest {
	}
	chain forward_guest {
	}
	chain helper_guest {
	}
	chain accept_to_guest {
	}
	chain reject_from_guest {
	}
	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}
	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}
	chain srcnat_wan {
	}
	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}
	chain raw_output {
		type filter hook output priority raw; policy accept;
	}
	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}
	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}
	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}
	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}
	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
	}
}
table ip crowdsec {
	chain crowdsec-chain {
		type filter hook input priority filter - 1; policy accept;
	}
}
table ip6 crowdsec6 {
	chain crowdsec6-chain {
		type filter hook input priority filter - 1; policy accept;
	}
}
root@Router:/etc# 

root@Router:/etc# nft list ruleset
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		tcp dport { 25, 587 } counter packets 498 bytes 27448 accept comment "!fw4: Allow SMTP"
		tcp dport 995 counter packets 835 bytes 48439 accept comment "!fw4: Allow POP3s"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname { "usb0", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname { "usb0", "pppoe-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname { "usb0", "pppoe-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		iifname "br-guest" jump helper_guest comment "!fw4: Handle guest IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump reject_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname "br-lan" counter packets 137597 bytes 9895007 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "br-lan" counter packets 62562 bytes 4431164 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain reject_to_lan {
		oifname "br-lan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 783 bytes 31330 jump drop_from_wan comment "!fw4: Drop-Ping"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		jump drop_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		jump reject_to_wan
		log prefix "reject wan forward: "
	}

	chain accept_to_wan {
		oifname { "usb0", "pppoe-wan" } counter packets 241007 bytes 28166065 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname { "usb0", "pppoe-wan" } counter packets 0 bytes 0 log prefix "reject wan out: " jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain drop_from_wan {
		iifname { "usb0", "pppoe-wan" } counter packets 118821 bytes 7677561 log prefix "drop wan in: " drop comment "!fw4: drop wan IPv4/IPv6 traffic"
	}

	chain input_guest {
		tcp dport 53 counter packets 26 bytes 1352 accept comment "!fw4: Allow-DNS-Guest"
		udp dport 53 counter packets 211044 bytes 14664840 accept comment "!fw4: Allow-DNS-Guest"
		meta nfproto ipv4 udp sport 68 udp dport 67 counter packets 492 bytes 173294 accept comment "!fw4: Allow-DHCP-Guest"
		jump reject_from_guest
	}

	chain output_guest {
		jump accept_to_guest
	}

	chain forward_guest {
		jump accept_to_wan comment "!fw4: Accept guest to wan forwarding"
		jump accept_to_guest
	}

	chain helper_guest {
	}

	chain accept_to_guest {
		oifname "br-guest" counter packets 3079 bytes 623085 accept comment "!fw4: accept guest IPv4/IPv6 traffic"
	}

	chain reject_from_guest {
		iifname "br-guest" counter packets 2577 bytes 208940 jump handle_reject comment "!fw4: reject guest IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname { "usb0", "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	}

	chain srcnat_wan {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname { "usb0", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname { "usb0", "pppoe-wan" } tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}
}
table ip crowdsec {
	set crowdsec-blacklists {
		type ipv4_addr
		flags timeout
		elements = { 1.0.171.2 timeout 4d4h52s370ms expires 4d3h59m33s350ms, 1.9.7.197 timeout 1d59m57s380ms expires 1d58m37s600ms,
			     1.9.70.26 timeout 6d22h59m57s350ms expires 6d22h58m39s100ms, 1.9.71.2 timeout 1d59m57s380ms expires 1d58m37s530ms,
			     1.9.78.242 timeout 6d21h59m57s360ms expires 6d21h58m38s830ms, 1.9.165.82 timeout 4d52s370ms expires 3d23h59m33s380ms,
			     1.10.172.234 timeout 1d10h1m44s370ms expires 1d10h25s140ms, 1.10.211.15 timeout 1d1h1m44s370ms expires 1d1h25s,
			     1.10.211.105 timeout 4d1h54s370ms expires 4d59m35s390ms, 1.11.62.185 timeout 6d22h59m57s360ms expires 6d22h58m38s920ms,
			     1.12.48.45 timeout 1d59m57s380ms expires 1d58m37s550ms, 1.12.60.77 timeout 6d22h59m57s350ms expires 6d22h58m39s130ms,
2a0b:7280:300:0:475:b6ff:fe00:230b timeout 6d22h59m57s360ms expires 6d22h58m38s800ms,
			     2a0b:7280:300:0:4d2:52ff:fe00:2305 timeout 6d22h59m57s360ms expires 6d22h58m38s800ms,
			     2a0b:7280:300:0:1c00:70ff:fe00:231c timeout 6d22h59m57s360ms expires 6d22h58m38s790ms,
			     2a0c:d80:0:24b9::2 timeout 4d17h52s360ms expires 4d16h59m33s400ms,
			     2c0f:fd20:0:8000::10 timeout 6d22h59m57s360ms expires 6d22h58m38s790ms }
	}

	chain crowdsec6-chain {
		type filter hook input priority filter - 1; policy accept;
		iifname { "usb0", "pppoe-wan" } ct state new ip6 saddr @crowdsec6-blacklists log prefix "crowdsec: " counter packets 0 bytes 0 drop
	}
}