Hi,
I just scanned my home firewall with nmap and to my surprise I found out that incoming traffic isn't being filtered fully.
I'm on 22.03.2 r19803-9a599fee93 on an x86 machine.
This is my wan interface:
config interface "wan"
option device "eth0"
option proto "pppoe"
# PPPoE config
option ipv6 "auto"
option username "secret"
option password "secret"
config interface "wan6"
option device "@wan"
option proto "dhcpv6"
# DHCPv6 client config
option reqaddress "try"
option reqprefix "48"
Those are the relevant firewall sections:
config defaults 'defaults'
option forward 'REJECT'
option output 'ACCEPT'
option synflood_protect '1'
option drop_invalid '1'
option input 'ACCEPT'
config zone
option name 'WAN'
option forward 'REJECT'
option input 'REJECT'
option output 'ACCEPT'
option log '1'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
This is an excerpt of the resulting nft ruleset:
table inet fw4 {
chain input {
...
iifname "pppoe-wan" jump input_WAN comment "!fw4: Handle WAN IPv4/IPv6 input traffic"
...
jump handle_reject
}
chain input_WAN {
icmp type echo-request counter packets 21 bytes 2016 accept comment "!fw4: Allow-Ping WAN to firewall"
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP WAN to firewall"
ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 6 bytes 1440 accept comment "!fw4: Allow-DHCPv6 WAN"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD WAN"
meta l4proto tcp counter packets 2614 bytes 166961 accept comment "!fw4: wireguard_dn42"
meta l4proto udp counter packets 3 bytes 559 accept comment "!fw4: wireguard_dn42"
tcp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
udp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
ip6 saddr { 2001:abc:abc::/48, 2a00:abc:cab::/48 } counter packets 0 bytes 0 accept comment "!fw4: admin_accept wan"
ct status dnat accept comment "!fw4: Accept port redirections"
jump reject_from_WAN
}
}
As the default rule for the zone for input is REJECT I would expect everything to be rejected, as long as there is no specific rule, that would allow.
Yet when I scan from an external machine on the internet IPv4 incoming as well as IPv6 is being accepted to my surprise.
nmap <<public IP or public IPv6>>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-11 11:39 CET
Nmap scan report for hostname (<<ip address>>)
Host is up (0.015s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
443/tcp open https
8888/tcp open sun-answerbook
What's going on here?