Block traffic when related NAT rule Alias doesn't exist
-
After doing penetration test against our firewall - Version 2.3.3-RELEASE (amd64)
we realized that all communication to one of our inside hosts is wide open.After doing a research of our firewall configuration we noticed that pfsense for any PAT rule (like PAT > TCP Virtual.IP Alias-A Real.IP Alias-A) when that named Alias (Alias-A) doesn't exist, it permits access from any public IP to real inside TCP port on Real.IP host.
So to summarize:
- Internal host is published to separate virtual IP using Alias
- Alias doesn't exist
- Firewall instead of blocking traffic for non matched alias, it enabled all traffic to inside host
This all came as result of migration from one firewall to another, when some Aliases were missed.
Can this be resolved in next 2.3.3_2 release?
Thank you
-
Have you tried disabling auto negate rules?
-
I guess this only happened because you restored sections of configs, or pasted stuff in/out of configs manually?
You should not be able to delete an alias that is in use somewhere (post details if you know of a place in the GUI that will let you delete an alias that is in use).
-
Ive seen issue with lists created & maintained by pfBlocker cause issues in firewalls using rules containing those aliases. I didn't pen test so can't confirm the security implications, I just assumed it was just flagging an error in the GUI but thought it worth while mentioning here in relation to OPs observation.
-
See Redmine issue https://redmine.pfsense.org/issues/7421 - "Unresolvable port alias is omitted from rule rather than generating an error"
and commits:
master (for 2.4 coming) https://github.com/pfsense/pfsense/commit/224e1648174e4a27b7f091fe348a81c74bacf23e
RELENG_2_3 (for 2.3.* series releases) https://github.com/pfsense/pfsense/commit/72040e44f5ffd0b559b1592eabde8d0b41d6a8ec
RELENG_2_3_3 (for 2.3.3-p* releases) https://github.com/pfsense/pfsense/commit/bf4440b495e0555981c606ec8808b3b544847b8eThe behavior when a port alias is missing will then be the same as when an IP alias is missing - the rule will be omitted from the rule set and a notice will be posted on the dashboard. That will make it much easier for the firewall admin to notice the problem, rather than the existing "silent" behavior.
-
I like when a man is good with words - this exactly what I had in mind.
It must not go silent for admins.Thank you
See Redmine issue https://redmine.pfsense.org/issues/7421 - "Unresolvable port alias is omitted from rule rather than generating an error"
and commits:
master (for 2.4 coming) https://github.com/pfsense/pfsense/commit/224e1648174e4a27b7f091fe348a81c74bacf23e
RELENG_2_3 (for 2.3.* series releases) https://github.com/pfsense/pfsense/commit/72040e44f5ffd0b559b1592eabde8d0b41d6a8ec
RELENG_2_3_3 (for 2.3.3-p* releases) https://github.com/pfsense/pfsense/commit/bf4440b495e0555981c606ec8808b3b544847b8eThe behavior when a port alias is missing will then be the same as when an IP alias is missing - the rule will be omitted from the rule set and a notice will be posted on the dashboard. That will make it much easier for the firewall admin to notice the problem, rather than the existing "silent" behavior.
-
Thanks for raising Rajko and thanks for the fix devs.