Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bad configuration, uneducated user or a compromised firewall?

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 656 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrPhil
      last edited by DrPhil

      Background

      I have an SG-5100 as my gateway. The rule on WAN is the default, which is block all incoming (plus the block private and bogon).

      I have a mix of devices on the LAN, mostly windows but also one Linux server (it's an internal staging server - doesn't need to accept traffic from outside) and I recently configured a Linux desktop (for some testing needs).

      This new desktop is Ubuntu 22.04. After installation, I enabled ufw on it with fairly restrictive rules (block all incoming and outgoing traffic, except for specific combinations).

      Issue
      Within a few hours of installation, I noticed a bunch of entries in the Ubuntu firewall log that I wasn't expecting. The most problematic ones seem like incoming requests from external IPs. Examples below

      Jul 23 23:12:05 ubuntu-desktop kernel: [ 2290.328780] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=142.250.65.206 DST=192.168.1.35 LEN=66 TOS=0x00 PREC=0x80 TTL=61 ID=0 DF PROTO=UDP SPT=443 DPT=45631 LEN=46
      Jul 24 00:11:19 ubuntu-desktop kernel: [ 5844.376046] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=169.197.150.7 DST=192.168.1.35 LEN=91 TOS=0x00 PREC=0x00 TTL=58 ID=48987 DF PROTO=TCP SPT=443 DPT=57286 WINDOW=11 RES=0x00 ACK PSH URGP=0
      Jul 24 01:22:35 ubuntu-desktop kernel: [10120.424253] [UFW BLOCK] IN=eno1 OUT= MAC=74:46:a0:a8:88:8b:00:90:0b:8c:d9:4b:08:00 SRC=38.91.45.7 DST=192.168.1.35 LEN=91 TOS=0x00 PREC=0x00 TTL=58 ID=48558 DF PROTO=TCP SPT=443 DPT=34766 WINDOW=11 RES=0x00 ACK PSH URGP=0
      

      My question
      How did these requests get past pfSense in the first place?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @DrPhil
        last edited by

        @drphil
        Source port 443? No device uses 443 as source port.
        So I assume, these are servers, which the machine has requested before. Hence pfSense opened the port, but the Ubuntu firewall might already have closed the connection at this time, while pfSense didn't.

        D 1 Reply Last reply Reply Quote 1
        • D
          DrPhil @viragomann
          last edited by

          @viragomann Thank you that makes sense and makes me feel much better.

          In my mind it completely explains at least two of these entries (TCP). Could I ask for your opinion on the UDP one also? The UFW firewall actually blocks outgoing 443 on UDP (only allows TCP).

          D V 2 Replies Last reply Reply Quote 0
          • D
            DrPhil @DrPhil
            last edited by

            Actually I think I know the answer. Once I installed Ubuntu, a few minutes passed before I enabled UFW. The desktop must have sent out the TCP and UDP requests in those few minutes.

            Which is the other annoying aspect. The machine has been attempting outbound requests to 1e100.net (which I understand is Google), deepintent.com (no idea who they are and why is my machine trying to reach them) and some IPs that don't return anything with rDNS.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @DrPhil
              last edited by

              @drphil
              https://en.wikipedia.org/wiki/QUIC

              D 1 Reply Last reply Reply Quote 1
              • D
                DrPhil @viragomann
                last edited by

                Thank you @viragomann, I did not know that !

                For the benefit of future readers who may not have the time to read the wikipedia article. It looks like the QUIC protocol (which runs on top of UDP), might some day replace the TCP protocol. If you're configuring a firewall, you want to allow outgoing TCP and UDP traffic to 443.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.