LAN ip blocked but seems to be passing traffic



  • Hey Y'all,
    I have set an alias for a few IoT devices and have a rule blocking egress, but I noticed traffic to a specific ip in the alias list (LAN_blocklist) and ran a tcpdump from ntopng and can see 2 way traffic. I'd sure appreciate some advise.
    alias:
    dig +short DirecTV.lucky.org
    192.168.42.89

    LAN_blocklist 192.168.42.90, 192.168.42.97, 192.168.42.22, 192.168.42.92, 192.168.42.91, 192.168.42.89, 192.168.42.20 Stuff on the LAN that shouldn't talk out

    fw rule, on LAN interface:
    pfctl -sr|grep LAN_blocklist
    block drop in quick on igb1 inet from <LAN_blocklist> to any label "USER_RULE: Block the LAN_blocklist from connecting out"

    from a dump:
    11:43:46.534771 IP DirecTV.lucky.org.44339 > underdog.lucky.org.domain: 39142+ A? bbvds.dtvbb.tv. (32)
    11:43:46.718625 IP underdog.lucky.org.domain > DirecTV.lucky.org.44339: 39142 1/0/0 A 99.193.64.55 (48)
    11:43:46.726389 IP DirecTV.lucky.org.40442 > bbvds.dtvbb.tv.http: Flags [S], seq 2996250978, win 14600, options [mss 1460,sackOK,TS val 1063317252 ecr 0,nop,wscale 7], length 0
    11:43:46.726462 IP bbvds.dtvbb.tv.http > DirecTV.lucky.org.40442: Flags [S.], seq 2555860322, ack 2996250979, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 2165576204 ecr 1063317252], length 0
    11:43:46.733989 IP DirecTV.lucky.org.40442 > bbvds.dtvbb.tv.http: Flags [.], ack 1, win 115, options [nop,nop,TS val 1063317260 ecr 2165576204], length 0
    11:43:46.823872 IP DirecTV.lucky.org.40442 > bbvds.dtvbb.tv.http: Flags [P.], seq 1:100, ack 1, win 115, options [nop,nop,TS val 1063317353 ecr 2165576204], length 99: HTTP: GET /download/connectivity.ats HTTP/1.0
    11:43:46.823964 IP bbvds.dtvbb.tv.http > DirecTV.lucky.org.40442: Flags [.], ack 100, win 512, options [nop,nop,TS val 2165576302 ecr 1063317353], length 0
    11:43:46.833901 IP bbvds.dtvbb.tv.http > DirecTV.lucky.org.40442: Flags [P.], seq 1:372, ack 100, win 513, options [nop,nop,TS val 2165576312 ecr 1063317353], length 371: HTTP: HTTP/1.1 302 Found
    11:43:46.833974 IP bbvds.dtvbb.tv.http > DirecTV.lucky.org.40442: Flags [F.], seq 372, ack 100, win 513, options [nop,nop,TS val 2165576312 ecr 1063317353], length 0
    11:43:46.837172 IP DirecTV.lucky.org.40442 > bbvds.dtvbb.tv.http: Flags [.], ack 372, win 123, options [nop,nop,TS val 1063317366 ecr 2165576312], length 0
    11:43:46.839430 IP DirecTV.lucky.org.40442 > bbvds.dtvbb.tv.http: Flags [F.], seq 100, ack 373, win 123, options [nop,nop,TS val 1063317368 ecr 2165576312], length 0
    11:43:46.839474 IP bbvds.dtvbb.tv.http > DirecTV.lucky.org.40442: Flags [.], ack 101, win 513, options [nop,nop,TS val 2165576317 ecr 1063317368], length 0

    I have tried adding a test vm to the blocklist and verified that I cannot talk out from cli.. (ping, curl, etc) but it sure seems like the rule is failing for that directv box.

    Thanks!


  • LAYER 8 Netgate

    Much, much easier to see what's happening if you do not resolve names. tcpdump flag -n

    We'll need to see the entire rule set on that interface too.



  • @Derelict Every time I try to post, the forum errors now:
    Error

    Post content was flagged as spam by Akismet.com

    how do I get around this?


  • LAYER 8 Netgate

    Post things that don't look like spam. Sorry that's the best I can do. Maybe some others will click your thumbs up to get your reputation higher which should relax the rules.



  • @Derelict hahah wow. so how does code look like spam? kinda stupid.
    Thanks anyway, @Derelict I appreciate the attempt!

    Sadly, I'm losing this dumb pasting game. It's not worth fighting this if it won't even tell me what characters it doesn't like. Not to mention, restricting chars is stupid in a place where people paste code, but I know you didn't design it. Then it tells me I can only post every 120 seconds... geeeeeeesh.
    Have yerself a great day!


  • LAYER 8 Moderator

    @h1pp13p373 said in LAN ip blocked but seems to be passing traffic:

    @Derelict hahah wow. so how does code look like spam? kinda stupid.
    Thanks anyway, @Derelict I appreciate the attempt!

    Why code looks like spam? Just have a look at your log:

    11:43:46.534771 IP DirecTV.lucky.org.44339 > underdog.lucky.org.domain: 39142+ A? bbvds.dtvbb.tv. (32)
    11:43:46.718625 IP underdog.lucky.org.domain > DirecTV.lucky.org.44339: 39142 1/0/0 A 99.193.64.55 (48)

    There are already SO many links in there (as you didn't do a PCAP with -n / numeric only) that every spam-plugin and detection tool will run wild in having that posted ;) Bots LOVE to post a bunch of links, so it's no wonder, the plugin the forum uses is running hot while processing that.

    How about (to test it) post a tcpdump with -n? When analyzing TCPdumps, domain names tend to get in your way anyways. :)



  • OK, so when the forum failed, I had used the -n flag. You don't see it becsuse the forum won't let me paste it. See http://hippiepete.org/netgate.forum.fail.txt

    Why is that spam? And if that triggers the filter, what wouldn't?


  • LAYER 8 Moderator

    OK, so when the forum failed, I had used the -n flag. You don't see it becsuse the forum won't let me paste it.

    My bad, sorry. Just wanted to point it out, that the Spam detection doesn't like large amounts of links (or things that look like it).

    @h1pp13p373 said in LAN ip blocked but seems to be passing traffic:

    Why is that spam? And if that triggers the filter, what wouldn't?

    Unfortunately I've no insight into the workings of the Akismet Plugin and it doesn't have some sort of whitelist :(
    Besides that, just having a quick look at your text file, it still shows links from your rule descriptions (like voip.ms) that could perhaps (just guessing here) trigger the bot threshold.

    But besides that after a few posts and thumbs up I thought the plugin should take it a little lighter. But something seems to still trigger it hard. I also had a problem with a user and his post in the german subforums that could post it initially but couldn't edit it afterwards. Very strange :/



  • @JeGr I worked with an admin in another thread and it lets him post the exact same text, but not me. Time for gist/etherpad/something else. It'll be much easier in the long run.



  • Just found hastebin... pretty slick. Even a cli client so you can pipe stuff to it.
    https://hastebin.com/about.md

    So, back to my original issue, here's my dump and rules:
    https://hastebin.com/elamojuvaw.coffeescript

    I'd found an old pfsense thread that suggested I place a specific allow for that alias before the block but that didn't work either. I still could see traffic being passed.


  • LAYER 8 Netgate

    Please paste /tmp/rules.debug

    Establish a connection that should be blocked. While connected or immediately thereafter get the output of this:

    pfctl -vvss | grep -A 3 192.168.42.89




  • LAYER 8 Netgate

    Great. Now:

    pfctl -vvsr | grep -A3 '^@24('




  • LAYER 8 Netgate

    Great. Do you have a captive portal on that interface?

    What are the various IP address and MAC address pass throughs there?



  • @Derelict Good thinking! I do have a captive portal active, but I only have a few ip's allowed and 192.168.42.89 is not on the allowed list. I don't have any allowed MAC addresses set.
    https://hastebin.com/ifabayekin.coffeescript


  • LAYER 8 Netgate

    Well that's probably why you're seeing what you're seeing. I am not sure why yet but those sloppy rules are likely the culprit. Note that there is no state shown that passes traffic into LAN from 192.168.42.89:39163 -> 99.193.64.55:80. Only the reply traffic passed by sloppy rule 24.

    Turn off the captive portal. Is the traffic blocked?

    Move the specific block rule to the top of the rule set. Is the traffic blocked?

    Most people would not stack a bunch of stuff on an interface with a portal on it. They'd create two different security zones (interfaces) and put the captive portal on one and the hosts that should be able to pass through on the other.

    What is the output of ipfw show



  • @Derelict said in LAN ip blocked but seems to be passing traffic:

    ipfw show

    https://hastebin.com/isadazabew.coffeescript

    Looks like that was the culprit! After turning the portal off, I didn't see any return traffic from the remote ip. I guess the portal returning the login page looked like a return from the remote ip in the dump...? Strange though. I sure appreciate your help, @Derelict !!

    I'm also going to look into security zones like you suggested. Is the purpose of using the zones to have an abstract layer of trusted and untrusted hosts sort of like aliases for fw rules, or is it a performance thing?
    I was a linux guy for years and know just enough networking to be dangerous. :)


  • LAYER 8 Netgate

    The purpose is to segment secure portions of your network from each other, each with the capabilities necessary for that segment (like captive portal).

    Yes, the captive portal page being returned would look like that if you were capturing on LAN. I (and everyone else probably) assumed you were looking at a web browser when you were testing and seeing the portal page instead of the outside site would have seemed like an obvious clue to me.



  • Thanks again, and that makes sense about segmenting.

    This all started when I saw traffic to that LAN ip on ntopng (installed on the pfsense box) and did a pcap download. That's where I saw the traffic from the remote ip to the LAN address and I got concerned. The 302 should have also gave me a clue about the portal.
    The portal was only set up to rick roll guests and I guess I deserve it for that. lol
    Have a great day!



  • @Derelict I'm having trouble finding documentation on using interfaces to segment. Is it like creating virtual interfaces and assigning ip lists to one or both? Would you mind linking me an article?


  • LAYER 8 Netgate

    This discusses network segmentation:

    Youtube Video



  • @Derelict Thanks!


Log in to reply