Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Preventing access to secondary firewall

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    30 Posts 6 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Most people do not pass traffic in WAN to the inside network so it is not a problem.

      You will have to look at the states to see why the traffic is not being blocked on the LAN interface of the secondary. Something tells me traffic is not flowing like you think it is.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • K
        kayavila
        last edited by

        This is a toy example meant to illustrate the problem. You've said both that a rule would be needed on the WAN to the secondary firewall's LAN interface, and also that you think the rules on the LAN interface should block it. I can't tell if you're saying this is expected behavior for it to not be blocked, or not.

        I agree that most people are probably not allowing full traffic from the inside to their outside. However, the reverse is certainly common (allowing all from the inside to the outside) - some environments may have an allow all out to the outside. In that situation, even the block to This Firewall will not stop the inside clients from reaching the outside interface of the secondary firewall.

        It becomes even more difficult in situations with multiple inside interfaces... hence me wondering about whether I really need to create an alias all of both firewall's IP addresses, and block that instead. I don't think most people are going to work through that and realize their secondary firewalls' interfaces are unprotected.

        If you set it up in a lab, with NAT turned off and state syncing turned on, I think you'll see that it behaves the way I'm describing it.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I am not going to set it up because I am certain that I will not see it as you are.

          NAT has absolutely nothing to do with hosts on inside interfaces accessing the firewall's outside interface address.

          Then you are not misunderstanding something very basic or have something else misconfigured. A synced rule blocking access to This Firewall (self) will absolutely block traffic to the primary on the primary and the secondary on the secondary.

          Please send me the contents of /tmp/rules.debug from both nodes in chat and explain exactly what you think should be being blocked in the real world situation that is not being blocked. Please be as specific as possible. Source and destination addresses, etc.

          Thanks.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K
            kayavila
            last edited by

            I cannot send you our production rules, but we've tested and confirmed this behavior on three different clusters. The best I could do is set up a lab, confirm the behavior, and send you that config. If time permits, we will do that.

            I mention NAT only to make it clear that NAT is not involved in our scenarios, since you've asked me about it several times.

            @kayavila said in Preventing access to secondary firewall:

            I can't tell if you're saying this is expected behavior for it to not be blocked, or not.

            Would you please confirm if you think the traffic should be allowed or not without explicitly blocking the secondary IP addresses?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              This firewall rules sync from the primary to the secondary. It covers the interface addresses on the firewall upon which the rule is active.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator
                last edited by

                @Derelict said in Preventing access to secondary firewall:

                This firewall rules sync from the primary to the secondary. It covers the interface addresses on the firewall upon which the rule is active.

                Also if I'm not mistaken, "This Firewall" also includes all CARP VIPs of the firewall as well as any firewall related IP. We have quite a few clusters here, that are configured that way to block certain things or allow certain things with This Firewall as it includes the VIP as well as the node IP on the corresponding node so if you e.g. configure an allow or block SSH with that it covers all 3 IPs in a typical CARP setup.

                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                I 1 Reply Last reply Reply Quote 0
                • I
                  IcePick @JeGr
                  last edited by

                  @JeGr said in Preventing access to secondary firewall:

                  This Firewall as it includes the VIP as well as the node IP on the corresponding node

                  This is not correct. It does not include any of the secondary member's IPs when being evaluated on the Primary. and vice-versa when being evaluated on the secondary.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kayavila
                    last edited by

                    We had a chance to set this up with two lab firewalls and a very basic config and were able to replicate the behavior. I've uploaded the configs to @Derelict but I can post them here as well if people are interested.

                    The issue with accessing a secondary firewall's interface by passing through the primary only happens if state syncing is turned on. From looking on the command line and in the web interface, I thought that states held in memory were specific to the interface, so I'm not sure why this works.

                    @JeGr I would be interested if you have the chance to test with your clusters on something similar to what I'm talking about, if you're similar enough to the setup I described where you're using a VIP. If you have something that's allowed all on your LAN interface, even if that rule is after your blocks to the firewall, can you hit the secondary firewall's WAN interface? (Or vice versa, as I was describing above, with a rule from the WAN to something on the LAN.)

                    1 Reply Last reply Reply Quote 0
                    • JeGrJ
                      JeGr LAYER 8 Moderator
                      last edited by

                      @IcePick said in Preventing access to secondary firewall:

                      This is not correct. It does not include any of the secondary member's IPs when being evaluated on the Primary. and vice-versa when being evaluated on the secondary.

                      Never said that - read again :)

                      Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                      If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kayavila
                        last edited by kayavila

                        We created a lab with two firewalls with very basic configs, and set up something similar to what I outlined above. I provided rules and config to @Derelict at the beginning of July and messaged him since to follow up but haven't heard back. So, I'm uploading them here.

                        Using these configs, the IP address in the test alias (from the outside/WAN interface of the firewall) can connect to the secondary firewall's LAN interface, even though the rules would seem to block it.

                        Additionally, any IP address on the LAN subnet can connect to the secondary firewall's WAN address, even though the rules would seem to deny it.

                        If you turn off state syncing, this stops being true.

                        I'm interested to see if anyone can find an issue with how the config is set up, or whether using "This firewall" in the rules just isn't enough to ever block access on the secondary.

                        fwa_rules.debug.txt
                        fwb_rules.debug.txt
                        config-fwa.localdomain-20190627095630.xml
                        config-fwb.localdomain-20190627100039.xml

                        1 Reply Last reply Reply Quote 0
                        • K kayavila referenced this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.