Bad configuration, uneducated user or a compromised firewall?
-
Background
I have an SG-5100 as my gateway. The rule on WAN is the default, which is block all incoming (plus the block private and bogon).
I have a mix of devices on the LAN, mostly windows but also one Linux server (it's an internal staging server - doesn't need to accept traffic from outside) and I recently configured a Linux desktop (for some testing needs).
This new desktop is Ubuntu 22.04. After installation, I enabled ufw on it with fairly restrictive rules (block all incoming and outgoing traffic, except for specific combinations).
Issue
Within a few hours of installation, I noticed a bunch of entries in the Ubuntu firewall log that I wasn't expecting. The most problematic ones seem like incoming requests from external IPs. Examples belowJul 23 23:12:05 ubuntu-desktop kernel: [ 2290.328780] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=142.250.65.206 DST=192.168.1.35 LEN=66 TOS=0x00 PREC=0x80 TTL=61 ID=0 DF PROTO=UDP SPT=443 DPT=45631 LEN=46 Jul 24 00:11:19 ubuntu-desktop kernel: [ 5844.376046] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=169.197.150.7 DST=192.168.1.35 LEN=91 TOS=0x00 PREC=0x00 TTL=58 ID=48987 DF PROTO=TCP SPT=443 DPT=57286 WINDOW=11 RES=0x00 ACK PSH URGP=0 Jul 24 01:22:35 ubuntu-desktop kernel: [10120.424253] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=38.91.45.7 DST=192.168.1.35 LEN=91 TOS=0x00 PREC=0x00 TTL=58 ID=48558 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=11 RES=0x00 ACK PSH URGP=0
My question
How did these requests get past pfSense in the first place? -
@drphil
Source port 443? No device uses 443 as source port.
So I assume, these are servers, which the machine has requested before. Hence pfSense opened the port, but the Ubuntu firewall might already have closed the connection at this time, while pfSense didn't. -
@viragomann Thank you that makes sense and makes me feel much better.
In my mind it completely explains at least two of these entries (TCP). Could I ask for your opinion on the UDP one also? The UFW firewall actually blocks outgoing 443 on UDP (only allows TCP).
-
Actually I think I know the answer. Once I installed Ubuntu, a few minutes passed before I enabled UFW. The desktop must have sent out the TCP and UDP requests in those few minutes.
Which is the other annoying aspect. The machine has been attempting outbound requests to 1e100.net (which I understand is Google), deepintent.com (no idea who they are and why is my machine trying to reach them) and some IPs that don't return anything with rDNS.
-
-
Thank you @viragomann, I did not know that !
For the benefit of future readers who may not have the time to read the wikipedia article. It looks like the QUIC protocol (which runs on top of UDP), might some day replace the TCP protocol. If you're configuring a firewall, you want to allow outgoing TCP and UDP traffic to 443.