big surprise in balance security

WillJones · May 13, 2022, 9:27pm

Your firewall rule list is pretty pointless anyway, you have the default action set to accept anything from anywhere…

Your rules for RDP are also likely not working and the traffic is being let in by the default rule.

You should probably set the source port to “any” for all of your rules as it is highly likely to be randomly selected, I’d then enable logging for the rules to make sure traffic is matching them correctly.

Once you are sure the traffic is being matched by the rules and not the default rule then change that default policy to “deny” otherwise you may as well just delete everything else you have above it.

And yes, I would agree with the above sentiment of “use a VPN, don’t just expose services to the internet especially ones like RDP”.

mystery · May 13, 2022, 9:41pm

you have an any to any rule opening everything

also, opening rdp to internet is a very basic security mistake, i highly recommend against that

Tzur · May 13, 2022, 10:17pm

The first law allows access to everyone from anywhere due to the fact that it is redirected to another additional WAN address that has no connection to the network in question.

Tzur · May 13, 2022, 10:28pm

Look … I understand a thing or two about Data security, so it’s hard for me to get your answers. More than that, I connected to another device I have, where there is one external address, the rules define exactly which address is allowed and at which port, and for some reason here too you can connect from any address and not just the one defined.
So…

mystery · May 14, 2022, 12:31am

i still see an any any rule. it says default. how do u get rid of that?

C_Metz · May 14, 2022, 4:58am

You set the default action to either allow or deny. Can’t delete it, only change behavior to what you desire. Needs to be changed to deny in this use case

WillJones · May 14, 2022, 6:34am

That wasn’t the rule I was referring to.

That may be so, but you appear to lack a fundamental understanding of how a firewall functions, or how packets are likely sourced from the external devices towards you in terms of source ports.

Three key points to consider -

Rule are processed top down, in order.
First rule to match traffic applies.
Consider SOURCE as well as DESTINATION in your rules for not just IP but also PORT.

If you have a packet that you expect to be processed by your “IP Phone” rule where you stipulate a source port of tcp:80 and because of randomisation on the client side making that connection (either because in reality that is how lots of things work, or in reality how devices are behind NAT before they cross the internet to you) it actually arrives with a randomised SOURCE of tcp:32193 it will be ignored by that rule, and carry on down until it hits the “default” which you have set to accept anything. The DESTINATION is still tcp:80, but as the rule does not match on the source correctly it will be bypassed.

The firewall, as it stands with that default rule set to “permit anything from anywhere” is basically wide open, you are not actually blocking anything connecting inwards.

This explains why your RDP rule is not working how you expect, and it is highly likely the same is actually true of your other rules.

Because as I and others have stated, those rules you have are probably doing nothing.

You have the “default” rule at the bottom of the list set to “accept anything from anywhere”. Click it, change the default action to “deny”.

You will probably find your other rules are now not working as you think, that is good as it means the firewall is actually doing something now, your existing rules you think are working at the moment were more than likely a case of traffic hitting that default rule at the bottom in its state of “permit anything from anywhere” because I would bet pennies to pounds traffic is just falling through the list until it gets to that default rule at the moment.

Now on your existing rule list, change the SOURCE port for them to ANY, because as I explained earlier remote devices connecting in almost certainly are either randomising their source port on connection, or are possibly also behind NAT which may also (further) randomise their source ports towards you.

If you enable logging on the rules as you go you can also see traffic matching them in the event logs, you can turn logging off once you are satisfied things are working, or leave it on if you want I don’t know what Peplink appliance you are using or how high the volume of traffic is so you may not want the overhead of the logging.

Tzur · May 15, 2022, 4:52am

Once I disable this default rule, everything is blocked, everything includes everything except access to device management

WillJones · May 15, 2022, 8:43am

Did you actually read and understand what I have written in both of my replies?

Did you change the SOURCE ports on the rules like I suggested?

Can you post a screenshot of what you have changed when you say “everything is blocked”, as yes, that is in some regards expected if you did not read and understand what I wrote above…

Tzur · May 16, 2022, 6:45pm

I must have read and understood, and more than that I did experiments.
I took a device with factory settings and set from 0.
And like I said no diagnosis from which IP address you come from everything goes through.
For anyone who thought that the default law was the one that caused the problem, you were wrong, once the default law is neutralized, everything is blocked!
And one more thing, to make sure I’m not wrong, I have defined only one rule!

WillJones · May 16, 2022, 7:03pm

I doubt that very much. The default rule when set to accept will permit any traffic inbound from any source, that is the problem case you were basically describing. In the context of the rules you posted I am very confident in my diagnosis of your problem and my explanation of why you see the behaviour that you do.

No idea what you mean by “neutralised” that is not a setting that exists here, that default action is either “accept” or “deny”. I did suggest you post your rules after you made changes if it was still not working as expected so people can try and further help you.

Please post your example config that demonstrates this then, perhaps along with packet captures that demonstrate the source IP + Port connection hitting the WAN and packet captures showing the subsequent traffic being forwarded to the internal host…

Tzur · May 16, 2022, 7:32pm

you are welcome…
Rull Cams - Allows access to NVR from any address on port 8200
Rull Cams2- Allows entry from any address at port 8100 to NVR
Rull AP - Allows me to enter only from my IP address in the office at port 55401
Rull RDP - Allows me to enter only from my IP address in the office at port 55751
Rull rdp2 - Allows me to enter only from my IP address in the office at port 3389
What’s wrong with these settings? Where is something wrong?
I must understand

Tzur · May 16, 2022, 7:42pm

Once made to Default Rul disable all addresses and ports are blocked. And note it is located at the bottom, which means that all the rulls above it are supposed to filter

WillJones · May 16, 2022, 7:52pm

So perhaps a picture will help., as it seems you have not read and understood what I have explained in detail above or made changes how I suggested - maybe I am not clear enough so this is hopefully easier for you to understand.

RED BOXES:
SOURCE PORTS - these are highly likely to not be symmetric, i.e. it is VERY UNLIKELY that port 8200 is used both on the source and destination of the connection etc. please do as I explained set SOURCE PORT to ANY.

If you don’t want to believe me make a packet capture, packets don’t lie but I am quite sure that in most instances your incoming connections will be using randomised source ports.

BLUE BOX:
DEFAULT - this should be changed to DENY, as it is configured at the moment I am prety sure that NONE of your rules are working, they are all set to match on explicit source + ports, if a packet arrives with a different SOURCE port it will bypass those rules until it gets to the bottom and then will be processed by the DEFAULT rule, in this case set to ACCEPt it will simply let traffic through.

WillJones · May 16, 2022, 8:00pm

Change the default rule like this so it actually drops traffic that is not let in explicitly:

Example of how your RDP rule should look:

Tzur · May 16, 2022, 8:19pm

Friend … it seems you do not want to understand what I’m presenting here.
I did exactly what you ask of me, and I explain again, what you marked in the blue box, as soon as I move to DENY everything is blocked. And no matter what you set in RULL.

Tzur · May 16, 2022, 8:21pm

Anyway, after such a loophole, I move all my sites to checkpoint and Fortigate, and not true to what I found out and too bad I admired Peplink.

WillJones · May 16, 2022, 8:38pm

I give up. Anyone else want to try?

Your screenshots show the source ports the same as the destination.

I explained to you in very basic terms why that does not normally need to be the case and why it likely means that when you set the default rule to DENY “everything is blocked” because ITS NOT BEING MATCHED BY THE RULES ABOVE IT CORRECTLY.

Post a packet capture then if you’re so sure that is wrong, or do like I said and enable logging on the rules to see if they are even being hit… or how about you open a support ticket as I’m sure Peplink would love to hear about this “loophole”.

Spoiler alert though, it is not a “loophole” just an end user who cannot properly configure a firewall - good luck Fortigate (and Checkpoint), I can promise you that if you configure like for like rules on those boxes it will also not work as both Forti and CP at least both drop inbound by default and your rules are fundamentally flawed.

MartinLangmaid · May 16, 2022, 8:58pm

There is no loophole.

When the default rule is set to deny you say everything is blocked - this is expected. When set to deny we have to build each and every desired allow access rule individually. We layer on top of the deny all / all.

It is very rare to need to deny all / all. The Peplink firewall is stateful and the only ports that get opened inbound (automatically) on a WAN with NAT enabled are those configured in port forwarding and those needed for enabled services (eg SpeedFusion VPN). All other inbound traffic is blocked by the stateful firewall by design.

If you have WANs that use IP forwarding rather than NAT (ie WANs connected to other parts of your internal network for internal routing) then all inbound traffic is allowed unless you specifically block it.

But the bigger question is what are you trying to do with the firewall?

It looks like you are creating rules for inbound access to internal services, but each of the rules is set to allow and each rule is configured to identify the source traffic by a source port that is very unlikely to be used by a source device anyways.

You are in effect allowing all inbound traffic on the ports you have already opened (default allow allow combined with port forwarding configuration), then adding additional rules to again allow inbound traffic from all remote IPs so long as they are using specific source ports for their traffic (source ports that are very very unlikely to ever be used by the remote devices).

Tell us what you are trying to achieve and we can help you build a ruleset to accomplish it.
In your original post it looks like you are trying to log inbound connections? In which case set the source ports to any and then you’ll see the traffic logged. eg: the following will log RDP inbound to 172.16.10.251

zegor_mjol · May 17, 2022, 1:37am

I’ll have a go (though the answer has been provided in multiple ways already)

It does not. It allows access to NVR from any address on port 8200 as long as the originating port is also 8200.