WAN Input traffic not rejected

pmisch · December 11, 2022, 10:51am

Hi,

I just scanned my home firewall with nmap and to my surprise I found out that incoming traffic isn't being filtered fully.

I'm on 22.03.2 r19803-9a599fee93 on an x86 machine.

This is my wan interface:

config interface "wan"
        option device "eth0"
        option proto "pppoe"
        # PPPoE config
        option ipv6 "auto"
        option username "secret"
        option password "secret"
config interface "wan6"
        option device "@wan"
        option proto "dhcpv6"
        # DHCPv6 client config
        option reqaddress "try"
        option reqprefix "48"

Those are the relevant firewall sections:

config defaults 'defaults'
        option forward 'REJECT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option drop_invalid '1'
        option input 'ACCEPT'

config zone
        option name 'WAN'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        option log '1'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

This is an excerpt of the resulting nft ruleset:

table inet fw4 {
        chain input {
               ...
                iifname "pppoe-wan" jump input_WAN comment "!fw4: Handle WAN IPv4/IPv6 input traffic"
               ...
                jump handle_reject
        }
        chain input_WAN {
                icmp type echo-request counter packets 21 bytes 2016 accept comment "!fw4: Allow-Ping WAN to firewall"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP WAN to firewall"
                ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 6 bytes 1440 accept comment "!fw4: Allow-DHCPv6 WAN"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route  } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD WAN"
                meta l4proto tcp counter packets 2614 bytes 166961 accept comment "!fw4: wireguard_dn42"
                meta l4proto udp counter packets 3 bytes 559 accept comment "!fw4: wireguard_dn42"
                tcp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
                udp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
                ip6 saddr { 2001:abc:abc::/48, 2a00:abc:cab::/48 } counter packets 0 bytes 0 accept comment "!fw4: admin_accept wan"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_WAN
        }
}

As the default rule for the zone for input is REJECT I would expect everything to be rejected, as long as there is no specific rule, that would allow.

Yet when I scan from an external machine on the internet IPv4 incoming as well as IPv6 is being accepted to my surprise.

nmap <<public IP or public IPv6>>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-11 11:39 CET
Nmap scan report for hostname (<<ip address>>)
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
443/tcp  open  https
8888/tcp open  sun-answerbook

What's going on here?

jow · December 11, 2022, 11:03am

It‘s most likely your ISP accepting on your behalf. For example port 8888 is not used by default OpenWrt at all.

Maybe try connecting to https://yourextip/ to see what‘s up there. I‘d bet that it is not LuCI responding

pmisch · December 11, 2022, 11:16am

No, that is not it. I'm running tinyproxy on 8888. It is actually the OpenWrt device accepting the traffic. I verified it by coming from another host in the internet, which can ssh into my device and open LUCI.

jow · December 11, 2022, 11:29am

You appear to have a rule called „wireguard_dn42“ which is accepting all traffic on wan. Double check it‘s definition, maybe it’s missing a dest port/ip or protocol selector.

pmisch · December 11, 2022, 11:37am

You are right, how can I have overlooked this? Thank you so much.

system · December 21, 2022, 11:37am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.