Mitigating risk for any port-forwarding NAT rules



  • So I have some exposure on the way that I have my firewall configured so that anyone could get a packet thru to an internal address if they knew what port to target. I'm using a very high port - something like 32953 - so as to reduce the risk from most scanning - but I really need someway to track that exposure and hopefully make it automatic to alert me - not necessarily in real time - perhaps a report that generated once a day.. The internal device is a "closed" device so their no reporting that I can get from it. For now I have accepted the risk in this exposure but my purpose now is to mitigate that risk. So I'm looking for how others would go about doing this. Just hi level bread crumbs that I can follows to get me started....I'm assuming setting up a syslog server would be step one....

    Thanks for any suggestions....

    Romany


  • Rebel Alliance Developer Netgate

    If you care about its security at all, why is it exposed? Use a VPN, forget the port forward. Then there is no risk.

    Otherwise, all you can do is set the firewall rule so it logs who makes connections, and maybe use snort to look for suspicious activity.

    Moving to a high port won't help anything. Security by obscurity isn't security it all. Scanners will find it.



  • It would also depend on what service is being run on that off-port. By port forwarding you are bypassing much of the security of the firewall and passing the traffic straight through. Services such as Snort and Suricata can check for odd behavior and pfBlocker can restrict access by country. If people are connecting normally from your country or via a proxy, it wouldn't be caught. You would need to protect the device that is being forwarded to, depending on the service that is exposed. You can tell firewall rule to log attempts and then use the email report add-in to send you messages with a filter for that rule. I think it can do that.


  • Galactic Empire

    @4romany said in Mitigating risk for any port-forwarding NAT rules:

    o I have some exposure on the way that I have my firewall configured so that anyone could get a packet thru to an internal address if they knew what port to target. I'm using a very high port - something like 32953 - so as to reduce the risk from most scanning - but I really need someway to track that exposure and hopefully make it automatic to alert me - not necessarily in real time - perhaps a report that generated once a day.. The internal device is a "closed" device so their no reporting that I can get from it. For now I have accepted the risk in this exposure but my purpose now is to mitigate that risk. So I'm looking for how others would go about doing this. Just hi level bread crumbs that I can follows to get me started....I'm assuming setting up a syslog server would be step one....
    Thanks for any suggestions....
    Romany

    Can you put the host into a DMZ ?


  • Rebel Alliance Global Moderator

    Exposing any service to the wild west that is the internet is always risk.. No matter what the service and what it runs on.

    Moving its port doesn't do anything really for the security of that service as stated, only thing it does is prob cut down on your log spam.

    If you need to expose something, then as mentioned it should be isolated from the rest of your network as much as possible (dmz or firewalled segment are common terms). Also already mentioned you can limit its expose to more trustful IPs, like only your country or only specific netblock if you can not lock it down to specific source IPs... I allow access into my plex box - but it is locked down to only my friends and family IPs.. Worse case here is that they change IPs and then some rando gets that IP and exploits in some way.

    When I want access into my plex from my phone or tablet while on the road and random IPs I VPN into the network.

    The only service I have exposed to public is NTP which I do to help the ntp pool community. Its running on a pi that has no other access to my network not even other boxes in the same dmz segment. And its running very locked down and maintained copy ntpsec as well.



  • Hey, thanks for all the replies folks. I can go either way - already have an isolated DMZ for my chinese cameras - but I think I'll use VPN for external access and disable that NAT rule altogether. I have been leaning in this direction - the only reason I have not done it is that it another thing I have to teach my wife to do on her phone - make sure she has a VPN session up - when she is attemping to access an internal resource on my network. I'll do some reading on setting up the vpn server feature on pfsense...

    Romany