big surprise in balance security

Hello friends. I own a few balance devices and although I understand that the purpose of these devices is not information security, I am still surprised by such a glitch.
I’m with the latest version of course.
I perform port forwarding RDP to a server outside the LAN in port X.
Then I authorize firewall access rules to log in from a specific IP address only. And to my surprise this Rule is not enforced by the device, these let any address go through and give access to RDP.
Regarding the administration of this device the Rule is excellently enforced.
Can anyone explain this gap to me? Isn’t this a dangerous security breach? Is the device supposed to give access to severity that I set differently?

Screenshot of your firewall rule(s) please. Blur out sensitive info.

@Tzur, a suggestion would be to not open any of those ports for inbound access. That’s just asking for issues.

What you should be doing is setting up “Remote User Access” in the section on the left below the Firewall area. I use the OpenVPN app to connect secure and remote to my Balance at home, and don’t have to worry about opening those firewall ports.

From there you are going to select which network/VLAN your remote users will access.
If it is a different VLAN that might not have access, then you need to go back into the Firewall section and adjust the “Internal Firewall Rules” not the “Inbound Firewall Rules.” Basically just move the “Inbound” rules down to the “Internal” rules section and you should be ok.

What does that have to do with the question I asked, or the rules that the device does not enforce ??? I also know not to open known ports or work on a VPN.
But this is not a solution to my question

Your firewall rule list is pretty pointless anyway, you have the default action set to accept anything from anywhere…

Your rules for RDP are also likely not working and the traffic is being let in by the default rule.

You should probably set the source port to “any” for all of your rules as it is highly likely to be randomly selected, I’d then enable logging for the rules to make sure traffic is matching them correctly.

Once you are sure the traffic is being matched by the rules and not the default rule then change that default policy to “deny” otherwise you may as well just delete everything else you have above it.

And yes, I would agree with the above sentiment of “use a VPN, don’t just expose services to the internet especially ones like RDP”.

1 Like

you have an any to any rule opening everything

also, opening rdp to internet is a very basic security mistake, i highly recommend against that

The first law allows access to everyone from anywhere due to the fact that it is redirected to another additional WAN address that has no connection to the network in question.

Look … I understand a thing or two about Data security, so it’s hard for me to get your answers. More than that, I connected to another device I have, where there is one external address, the rules define exactly which address is allowed and at which port, and for some reason here too you can connect from any address and not just the one defined.

i still see an any any rule. it says default. how do u get rid of that?

You set the default action to either allow or deny. Can’t delete it, only change behavior to what you desire. Needs to be changed to deny in this use case :slight_smile:

That wasn’t the rule I was referring to.

That may be so, but you appear to lack a fundamental understanding of how a firewall functions, or how packets are likely sourced from the external devices towards you in terms of source ports.

Three key points to consider -

  1. Rule are processed top down, in order.
  2. First rule to match traffic applies.
  3. Consider SOURCE as well as DESTINATION in your rules for not just IP but also PORT.

If you have a packet that you expect to be processed by your “IP Phone” rule where you stipulate a source port of tcp:80 and because of randomisation on the client side making that connection (either because in reality that is how lots of things work, or in reality how devices are behind NAT before they cross the internet to you) it actually arrives with a randomised SOURCE of tcp:32193 it will be ignored by that rule, and carry on down until it hits the “default” which you have set to accept anything. The DESTINATION is still tcp:80, but as the rule does not match on the source correctly it will be bypassed.

The firewall, as it stands with that default rule set to “permit anything from anywhere” is basically wide open, you are not actually blocking anything connecting inwards.

This explains why your RDP rule is not working how you expect, and it is highly likely the same is actually true of your other rules.

Because as I and others have stated, those rules you have are probably doing nothing.

You have the “default” rule at the bottom of the list set to “accept anything from anywhere”. Click it, change the default action to “deny”.

You will probably find your other rules are now not working as you think, that is good as it means the firewall is actually doing something now, your existing rules you think are working at the moment were more than likely a case of traffic hitting that default rule at the bottom in its state of “permit anything from anywhere” because I would bet pennies to pounds traffic is just falling through the list until it gets to that default rule at the moment.

Now on your existing rule list, change the SOURCE port for them to ANY, because as I explained earlier remote devices connecting in almost certainly are either randomising their source port on connection, or are possibly also behind NAT which may also (further) randomise their source ports towards you.

If you enable logging on the rules as you go you can also see traffic matching them in the event logs, you can turn logging off once you are satisfied things are working, or leave it on if you want I don’t know what Peplink appliance you are using or how high the volume of traffic is so you may not want the overhead of the logging.

1 Like

Once I disable this default rule, everything is blocked, everything includes everything except access to device management

Did you actually read and understand what I have written in both of my replies?

Did you change the SOURCE ports on the rules like I suggested?

Can you post a screenshot of what you have changed when you say “everything is blocked”, as yes, that is in some regards expected if you did not read and understand what I wrote above…

I must have read and understood, and more than that I did experiments.
I took a device with factory settings and set from 0.
And like I said no diagnosis from which IP address you come from everything goes through.
For anyone who thought that the default law was the one that caused the problem, you were wrong, once the default law is neutralized, everything is blocked!
And one more thing, to make sure I’m not wrong, I have defined only one rule!

I doubt that very much. The default rule when set to accept will permit any traffic inbound from any source, that is the problem case you were basically describing. In the context of the rules you posted I am very confident in my diagnosis of your problem and my explanation of why you see the behaviour that you do.

No idea what you mean by “neutralised” that is not a setting that exists here, that default action is either “accept” or “deny”. I did suggest you post your rules after you made changes if it was still not working as expected so people can try and further help you.

Please post your example config that demonstrates this then, perhaps along with packet captures that demonstrate the source IP + Port connection hitting the WAN and packet captures showing the subsequent traffic being forwarded to the internal host…

you are welcome…
Rull Cams - Allows access to NVR from any address on port 8200
Rull Cams2- Allows entry from any address at port 8100 to NVR
Rull AP - Allows me to enter only from my IP address in the office at port 55401
Rull RDP - Allows me to enter only from my IP address in the office at port 55751
Rull rdp2 - Allows me to enter only from my IP address in the office at port 3389
What’s wrong with these settings? Where is something wrong?
I must understand

Once made to Default Rul disable all addresses and ports are blocked. And note it is located at the bottom, which means that all the rulls above it are supposed to filter

So perhaps a picture will help., as it seems you have not read and understood what I have explained in detail above or made changes how I suggested - maybe I am not clear enough so this is hopefully easier for you to understand.

SOURCE PORTS - these are highly likely to not be symmetric, i.e. it is VERY UNLIKELY that port 8200 is used both on the source and destination of the connection etc. please do as I explained set SOURCE PORT to ANY.

If you don’t want to believe me make a packet capture, packets don’t lie but I am quite sure that in most instances your incoming connections will be using randomised source ports.

DEFAULT - this should be changed to DENY, as it is configured at the moment I am prety sure that NONE of your rules are working, they are all set to match on explicit source + ports, if a packet arrives with a different SOURCE port it will bypass those rules until it gets to the bottom and then will be processed by the DEFAULT rule, in this case set to ACCEPt it will simply let traffic through.

1 Like