Firewall Problem - My job is on the line

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
tunnel_boar
OpenVPN User
Posts: 25
Joined: Fri Dec 24, 2021 4:50 pm

Re: Firewall Problem - My job is on the line

Post by tunnel_boar » Sun Dec 26, 2021 6:42 pm

Fine, even if you exclude LAN, you'll find this everywhere:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport $VPN_PORT -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

I obviously don't have to tell you that the first rule coupled with incoming ICMP is basically asking to be owned. A 12yo can spoof ICMP 8 nowadays.

Allowing all packets pertaining to an established connection is the default for most users. You'll see that conntrack rule in any guide, template or otherwise and it's complete bs.

Instead of opening the entire port 1197, and exposing yourself to countless ways of spoofing or injection with that general conntrack ESTABLISHED input rule, mine only allows precisely what is needed to connect the VPN and nothing more.
Last edited by tunnel_boar on Sun Dec 26, 2021 7:10 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Firewall Problem - My job is on the line

Post by TinCanTech » Sun Dec 26, 2021 6:53 pm

tunnel_boar wrote:
Sun Dec 26, 2021 6:42 pm
even if you exclude LAN, you'll find this everywhere:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport $VPN_PORT -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
Well .. maybe, I'm not convinced though ...

My question is related to your new rules, what do they really add .. ?

tunnel_boar
OpenVPN User
Posts: 25
Joined: Fri Dec 24, 2021 4:50 pm

Re: Firewall Problem - My job is on the line

Post by tunnel_boar » Sun Dec 26, 2021 7:15 pm

They are as restrictive as possible, thus minimizing the attack surface.

You can't see the blatant difference in security?
(not including misc like lo etc)

1.)
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 1197 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
Last edited by tunnel_boar on Sun Dec 26, 2021 8:27 pm, edited 1 time in total.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Firewall Problem - My job is on the line

Post by TinCanTech » Sun Dec 26, 2021 8:03 pm

If you need belt and braces then so be it .. more rules does not necessarily equal more security.

tunnel_boar
OpenVPN User
Posts: 25
Joined: Fri Dec 24, 2021 4:50 pm

Re: Firewall Problem - My job is on the line

Post by tunnel_boar » Sun Dec 26, 2021 8:26 pm

No man it's less rules. I'm combining 4 rules into 2, while keeping sources and destinations as specific and tight as possible.

Not sure if you'd be comfortable sharing your rules, but I bet you have at least four open ports and that very same conntrack ESTABLISHED rule on INPUT. Probably, ports 22, 53, 80 & 443.

You said you had 40 years of experience, what are your areas of expertise?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Firewall Problem - My job is on the line

Post by TinCanTech » Sun Dec 26, 2021 8:59 pm

tunnel_boar wrote:
Sun Dec 26, 2021 8:26 pm
No man it's less rules. I'm combining 4 rules into 2, while keeping sources and destinations as specific and tight as possible.
To me, this bit feels a bit belt and braces .. although the 2 for 4 is ok.
tunnel_boar wrote:
Sun Dec 26, 2021 6:42 pm
I obviously don't have to tell you that the first rule coupled with incoming ICMP is basically asking to be owned. A 12yo can spoof ICMP 8 nowadays.
ok, I will not speak for the rest of your system but I will say this: Openvpn is perfectly capable of defending itself.

If you keep that in mind, perhaps you can combine 4 into 1 (or something) ;-)

Code: Select all

# Generated by iptables-save v1.8.4 on Sun Dec 26 20:49:34 2021
*filter
:INPUT ACCEPT [58221206:24010622547]
:FORWARD ACCEPT [43728:4215293]
:OUTPUT ACCEPT [53100627:7322650883]
COMMIT
# Completed on Sun Dec 26 20:49:34 2021

Code: Select all

# Generated by ip6tables-save v1.8.4 on Sun Dec 26 21:02:11 2021
*filter
:INPUT ACCEPT [92408:16029182]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [879782:52902104]
COMMIT
# Completed on Sun Dec 26 21:02:11 2021

Code: Select all

# ip r
default via 10.1.101.1 dev enp5s0 
10.1.101.0/24 dev enp5s0 proto kernel scope link src 10.1.101.101 
10.7.39.137 via 10.55.111.225 dev tunc55111 
10.55.111.224/27 dev tunc55111 proto kernel scope link src 10.55.111.254 
10.56.101.0/24 via 10.56.101.102 dev tunc56007 
10.56.101.102 dev tunc56007 proto kernel scope link src 10.56.101.101 
10.63.110.0/24 via 10.63.110.102 dev tuns63110 
10.63.110.102 dev tuns63110 proto kernel scope link src 10.63.110.101 
10.66.97.86 via 10.56.101.102 dev tunc56007 
10.126.66.0/24 via 10.126.66.102 dev tuns12666 
10.126.66.102 dev tuns12666 proto kernel scope link src 10.126.66.101 
10.171.22.2 dev tun17122 proto kernel scope link src 10.171.22.1 
10.177.240.0/20 via 10.171.22.2 dev tun17122 
10.177.240.1 dev tun_A17808 proto kernel scope link src 10.177.240.2 
10.177.240.5 dev tun_A17760 proto kernel scope link src 10.177.240.6 
10.177.240.9 dev tun_A17823 proto kernel scope link src 10.177.240.10 
10.177.240.13 dev tun_A17784 proto kernel scope link src 10.177.240.14 
10.177.240.17 dev tun_A17785 proto kernel scope link src 10.177.240.18 
10.177.240.21 dev tun_A17764 proto kernel scope link src 10.177.240.22 
10.177.240.25 dev tun_A17701 proto kernel scope link src 10.177.240.26 
10.177.240.29 dev tun_A17815 proto kernel scope link src 10.177.240.30 
10.177.240.33 dev tun_A17813 proto kernel scope link src 10.177.240.34 
10.177.240.37 dev tun_A17706 proto kernel scope link src 10.177.240.38 
10.177.240.41 dev tun_A17810 proto kernel scope link src 10.177.240.42 
10.177.240.45 dev tun_A17805 proto kernel scope link src 10.177.240.46 
10.177.240.49 dev tun_A17770 proto kernel scope link src 10.177.240.50 
10.177.240.53 dev tun_A17787 proto kernel scope link src 10.177.240.54 
10.177.240.57 dev tun_A17799 proto kernel scope link src 10.177.240.58 
10.177.240.61 dev tun_A17774 proto kernel scope link src 10.177.240.62 
10.177.240.65 dev tun_A17708 proto kernel scope link src 10.177.240.66 
10.177.240.69 dev tun_A17772 proto kernel scope link src 10.177.240.70 
10.177.240.73 dev tun_A17821 proto kernel scope link src 10.177.240.74 
10.177.240.77 dev tun_A17773 proto kernel scope link src 10.177.240.78 
10.177.240.81 dev tun_A17825 proto kernel scope link src 10.177.240.82 
10.177.240.85 dev tun_A17751 proto kernel scope link src 10.177.240.86 
10.177.240.89 dev tun_A17804 proto kernel scope link src 10.177.240.90 
10.177.240.93 dev tun_A17742 proto kernel scope link src 10.177.240.94 
10.177.240.97 dev tun_A17779 proto kernel scope link src 10.177.240.98 
10.177.240.101 dev tun_A17809 proto kernel scope link src 10.177.240.102 
10.177.240.105 dev tun_A17731 proto kernel scope link src 10.177.240.106 
10.177.240.109 dev tun_A17819 proto kernel scope link src 10.177.240.110 
10.177.240.113 dev tun_A17811 proto kernel scope link src 10.177.240.114 
10.177.240.117 dev tun_A17827 proto kernel scope link src 10.177.240.118 
10.177.240.121 dev tun_A17723 proto kernel scope link src 10.177.240.122 
10.177.240.125 dev tun_A17802 proto kernel scope link src 10.177.240.126 
10.177.240.129 dev tun_A17820 proto kernel scope link src 10.177.240.130 
10.177.240.133 dev tun_A17824 proto kernel scope link src 10.177.240.134 
10.177.240.137 dev tun_A17788 proto kernel scope link src 10.177.240.138 
10.177.240.141 dev tun_A17806 proto kernel scope link src 10.177.240.142 
10.177.240.145 dev tun_A17744 proto kernel scope link src 10.177.240.146 
10.177.240.149 dev tun_A17786 proto kernel scope link src 10.177.240.150 
10.177.240.153 dev tun_A17816 proto kernel scope link src 10.177.240.154 
10.177.240.157 dev tun_A17791 proto kernel scope link src 10.177.240.158 
10.177.240.161 dev tun_A17745 proto kernel scope link src 10.177.240.162 
10.177.240.165 dev tun_A17758 proto kernel scope link src 10.177.240.166 
10.177.240.169 dev tun_A17754 proto kernel scope link src 10.177.240.170 
10.177.240.173 dev tun_A17722 proto kernel scope link src 10.177.240.174 
10.177.240.177 dev tun_A17776 proto kernel scope link src 10.177.240.178 
10.177.240.181 dev tun_A17753 proto kernel scope link src 10.177.240.182 
10.177.240.185 dev tun_A17752 proto kernel scope link src 10.177.240.186 
10.177.240.189 dev tun_A17761 proto kernel scope link src 10.177.240.190 
10.177.240.193 dev tun_A17730 proto kernel scope link src 10.177.240.194 
10.177.240.197 dev tun_A17762 proto kernel scope link src 10.177.240.198 
10.177.240.201 dev tun_A17756 proto kernel scope link src 10.177.240.202 
10.177.240.205 dev tun_A17795 proto kernel scope link src 10.177.240.206 
10.177.240.209 dev tun_A17733 proto kernel scope link src 10.177.240.210 
10.177.240.213 dev tun_A17803 proto kernel scope link src 10.177.240.214 
10.177.240.217 dev tun_A17771 proto kernel scope link src 10.177.240.218 
10.177.240.221 dev tun_A17767 proto kernel scope link src 10.177.240.222 
10.177.240.225 dev tun_A17739 proto kernel scope link src 10.177.240.226 
10.177.240.229 dev tun_A17715 proto kernel scope link src 10.177.240.230 
10.177.240.233 dev tun_A17711 proto kernel scope link src 10.177.240.234 
10.177.240.237 dev tun_A17766 proto kernel scope link src 10.177.240.238 
10.177.240.241 dev tun_A17746 proto kernel scope link src 10.177.240.242 
10.177.240.245 dev tun_A17717 proto kernel scope link src 10.177.240.246 
10.177.240.249 dev tun_A17718 proto kernel scope link src 10.177.240.250 
10.177.240.253 dev tun_A17789 proto kernel scope link src 10.177.240.254 
10.177.241.1 dev tun_A17732 proto kernel scope link src 10.177.241.2 
10.177.241.5 dev tun_A17775 proto kernel scope link src 10.177.241.6 
10.177.241.9 dev tun_A17713 proto kernel scope link src 10.177.241.10 
10.177.241.13 dev tun_A17727 proto kernel scope link src 10.177.241.14 
10.177.241.17 dev tun_A17782 proto kernel scope link src 10.177.241.18 
10.177.241.21 dev tun_A17716 proto kernel scope link src 10.177.241.22 
10.177.241.25 dev tun_A17763 proto kernel scope link src 10.177.241.26 
10.177.241.29 dev tun_A17801 proto kernel scope link src 10.177.241.30 
10.177.241.33 dev tun_A17724 proto kernel scope link src 10.177.241.34 
10.177.241.37 dev tun_A17814 proto kernel scope link src 10.177.241.38 
10.177.241.41 dev tun_A17748 proto kernel scope link src 10.177.241.42 
10.177.241.45 dev tun_A17725 proto kernel scope link src 10.177.241.46 
10.177.241.49 dev tun_A17768 proto kernel scope link src 10.177.241.50 
10.177.241.53 dev tun_A17826 proto kernel scope link src 10.177.241.54 
10.177.241.57 dev tun_A17712 proto kernel scope link src 10.177.241.58 
10.177.241.61 dev tun_A17759 proto kernel scope link src 10.177.241.62 
10.177.241.65 dev tun_A17796 proto kernel scope link src 10.177.241.66 
10.177.241.69 dev tun_A17734 proto kernel scope link src 10.177.241.70 
10.177.241.73 dev tun_A17737 proto kernel scope link src 10.177.241.74 
10.177.241.77 dev tun_A17735 proto kernel scope link src 10.177.241.78 
10.177.241.81 dev tun_A17793 proto kernel scope link src 10.177.241.82 
10.177.241.85 dev tun_A17783 proto kernel scope link src 10.177.241.86 
10.177.241.89 dev tun_A17704 proto kernel scope link src 10.177.241.90 
10.177.241.93 dev tun_A17780 proto kernel scope link src 10.177.241.94 
10.177.241.97 dev tun_A17726 proto kernel scope link src 10.177.241.98 
10.177.241.101 dev tun_A17728 proto kernel scope link src 10.177.241.102 
10.177.241.105 dev tun_A17757 proto kernel scope link src 10.177.241.106 
10.177.241.109 dev tun_A17755 proto kernel scope link src 10.177.241.110 
10.177.241.113 dev tun_A17777 proto kernel scope link src 10.177.241.114 
10.177.241.117 dev tun_A17710 proto kernel scope link src 10.177.241.118 
10.177.241.121 dev tun_A17740 proto kernel scope link src 10.177.241.122 
10.177.241.125 dev tun_A17790 proto kernel scope link src 10.177.241.126 
10.177.241.129 dev tun_A17800 proto kernel scope link src 10.177.241.130 
10.177.241.133 dev tun_A17797 proto kernel scope link src 10.177.241.134 
10.177.241.137 dev tun_A17818 proto kernel scope link src 10.177.241.138 
10.177.241.141 dev tun_A17747 proto kernel scope link src 10.177.241.142 
10.177.241.145 dev tun_A17812 proto kernel scope link src 10.177.241.146 
10.177.241.149 dev tun_A17822 proto kernel scope link src 10.177.241.150 
10.177.241.153 dev tun_A17765 proto kernel scope link src 10.177.241.154 
10.177.241.157 dev tun_A17738 proto kernel scope link src 10.177.241.158 
10.177.241.161 dev tun_A17714 proto kernel scope link src 10.177.241.162 
10.177.241.165 dev tun_A17721 proto kernel scope link src 10.177.241.166 
10.177.241.169 dev tun_A17769 proto kernel scope link src 10.177.241.170 
10.177.241.173 dev tun_A17794 proto kernel scope link src 10.177.241.174 
10.177.241.177 dev tun_A17736 proto kernel scope link src 10.177.241.178 
10.177.241.181 dev tun_A17743 proto kernel scope link src 10.177.241.182 
10.177.241.185 dev tun_A17741 proto kernel scope link src 10.177.241.186 
10.177.241.189 dev tun_A17719 proto kernel scope link src 10.177.241.190 
10.177.241.193 dev tun_A17720 proto kernel scope link src 10.177.241.194 
10.177.241.201 dev tun_A17709 proto kernel scope link src 10.177.241.202 
10.177.241.205 dev tun_A17729 proto kernel scope link src 10.177.241.206 
10.177.241.209 dev tun_A17807 proto kernel scope link src 10.177.241.210 
10.177.241.213 dev tun_A17781 proto kernel scope link src 10.177.241.214 
10.177.241.217 dev tun_A17702 proto kernel scope link src 10.177.241.218 
10.177.241.221 dev tun_A17778 proto kernel scope link src 10.177.241.222 
10.177.241.225 dev tun_A17705 proto kernel scope link src 10.177.241.226 
10.177.241.233 dev tun_A17817 proto kernel scope link src 10.177.241.234 
10.177.241.241 dev tun_A17798 proto kernel scope link src 10.177.241.242 
10.177.241.245 dev tun_A17707 proto kernel scope link src 10.177.241.246 
10.177.241.249 dev tun_A17703 proto kernel scope link src 10.177.241.250 
10.177.241.253 dev tun_A17749 proto kernel scope link src 10.177.241.254 
192.168.101.3 via 10.126.66.102 dev tuns12666 
192.168.101.234 via 10.126.66.102 dev tuns12666 
There are clever people who still have not figured out why the Internet is still v4.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Firewall Problem - My job is on the line

Post by TinCanTech » Mon Dec 27, 2021 12:23 am

tunnel_boar wrote:
Fri Dec 24, 2021 10:01 pm
TinCanTech wrote:
Fri Dec 24, 2021 9:47 pm
  • OpenVPN is FOSS and all the documentation is written by volunteers.
Right, by people who believe information should be free.

You're like Darth Sidious, hording knowledge. :roll:

I have helped countless people on various forums and mailing lists, because that's what we do in this community.

Nobody is expecting a spoon feed, but a reasonable hint is common courtesy.
What you are doing is pretty much the antithesis to the FOSS spirit.see my lair, where I keep my hoard:
I really like this one. :mrgreen:

If you would like to see my Lair, where I keep my Hoard then I extend my invitation: https://github.com/TinCanTech/easy-tls

There is a reason why some things are public and other things are not. You can change that.. or not.

Post Reply