Need help stopping ACK scans through OpenWrt

I'm brand new to OpenWRT and am using 21.02.3 on a Rasbperry Pi. My goal is to replace the limited firewall/gateway on my home mesh system. I configured it with minimal adjustments, assuming that the standard install would be fairly strong, and then put the OpenWRT appliance between the fiber modem and the mesh gateway. My ultimate goal is to change the mesh gateway setup to AP mode rather than router-mode, an offload all the gateway, firewall, and DHCP responsibilities to the OpenWRT appliance. However, before I do that I've kept the firewall on the mesh gateway active in case I misconfigured the OpenWRT system and created a wide-open network.

Right now all standard traffic is routing fine and the OpenWRT and mesh gateway are able to pass traffic back and forth without any issues. However, when I look at the log of the mesh network, which is on the LAN side of the OpenWRT system, I'm seeing ACK scans showing up in the logs, and I don't see anything in the OpenWRT logs about blocking any SYN/ACK/ etc type packets or blocking port access, that sort of thing. The OpenWRT logging in Luci is set to "debug" level for both system and kernel.

This has me worried that I don't have my OpenWRT system configured correctly and it's just wide open. I'm using the Luci interface to configure as a preference, but if I need to do this from command line I can.

Firewall setup:

(adding more details in a sec, as a new user I'm limited in how many screenshots I can add to a post)

If there's something else that would be helpful to see in order to get a better idea of how to help me solve this, let me know and I'll add it to the thread. If someone can help me with these two items, I'd really appreciate it:

  1. Figure out what I need to correct to stop undesired packet and port scans from making it through the OpenWRT appliance.
  2. Adjust the logs so I can see that the OpenWRT device is actually catching this type of undesired traffic, if possible.

Traffic Rules:

Traffic Rules part 2

Interface:

Hello Brinohm and welcome to the forum.
You are right that the default configuration of OpenWrt is quite secure. Input from the internet (the red wan zone) is rejected or dropped and only lan to wan initiated traffic is allowed. Therefore, an attack must be triggered either after opening some IP or port from wan to lan, which you didn't open by the way.
One more thing is that it's better to use ssh to connect to the device and pull the configurations with uci export network; uci export firewall than posting screenshots.
Other than that I doubt that you got attacked, unless some device in the lan initiated the communication with some malicious device in the wan. Of course it might as well be false positive alarm or BS from the home mesh system.

1 Like

Thanks @trendy, glad to be here and be a part of the community! I really appreciate you confirming about the default config, that's excellent to know, thank you for that as well!

For the log question, do you know if there's a way I can see the traffic that OpenWRT is stopping in the logs (or some other way)? I've looked around trying to find some information on this, but most of what I seem to find is either generic, or seems to be related to people trying to let traffic through rather than confirm what's being blocked.

Also, thanks for the head's up on the command line extract for the config. That was very helpful as well.

uci set firewall.wan.log='1'
uci commit
service firewall restart
logread -f -e wan
1 Like

That didn't quite work for me, I keep getting a "uci: Invalid argument" when I enter the first line, BUT, seeing what you were sharing, it gave me an idea of where to try and look for this in Luci. I was able to find a toggle for enabling logging on a specific zone, in my case - wan, by going to:
Network -> Firewall -> Zone-wan-Edit -> Advanced Settings -> enable logging on this interface.

Thanks again for all your help, I really appreciate it!

1 Like

Out of curiosity, when you tick the enable logging in wan zone and then you click Save there will be a cyan button on top right corner saying Unsaved changes: 1. If you click on that, what does it write as the change to be committed?

Nice! That's great to know as well. I can work backwards to the uci command from the luci interface. Thanks!

What it says is:
uci set firewall.cfg03da81.log='1'

it looks like the difference is this cfgxxxx value vs the value "wan". Maybe this is because I used luci to configure my system? Not sure. Let me know if that's helpful.

It seems that the zone is not named as it should.

Is there a place I can change or check the name? It could be a result of me having had to configure a wireless WAN to start with to then transition to a wired WAN (long story, but this is a Pi 2 board, with just the onboard wired connection, everything else had to have installs to get working and that took some bootstrapping to complete). So now the WAN zone is actually a combo of the wired and wireless WAN interfaces, if that makes sense.

Usually on a default installation of OpenWrt, this is enough:

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci commit firewall
/etc/init.d/firewall restart

provided you didn't change the order of the zones.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.