Kali Purple Greenbone Setup

bmeeks

@Technolust said in Kali Purple Greenbone Setup:

However, I still don't know why I needed the NAT rule.

Because I initially thought you wanted either the external host OR your internal host to be able to start an rsync session. The only way the external host could ever start a session is with the NAT Port Forward. The external host can "respond" to a session initiated by your internal host all day long due to stateful replies being allowed. But the external host can't just start a session on his own anytime he wishes UNLESS there is a NAT Port Forward rule in place on the WAN.

But if you only wanted just the internal host to start all sessions, then the NAT Port Forward was not required.

Stateful inspection replies will always automatically be allowed by the firewall. But these "states" have a timeout, and after that timeout expires any traffic coming from the external host is again dropped. States are also automatically cleaned up and closed when the established session is closed. The timeout only comes into play when the connection is just interrrupted without the two sides properly saying "goodbye" to each other.

Technolust

@bmeeks said in Kali Purple Greenbone Setup:

The only way the external host could ever start a session is with the NAT Port Forward. The external host can "respond" to a session initiated by your internal host all day long due to stateful replies being allowed.

@bmeeks said in Kali Purple Greenbone Setup:

Stateful inspection replies will always automatically be allowed by the firewall. But these "states" have a timeout, and after that timeout expires any traffic coming from the external host is again dropped.

There's the ahhh haaa moment!! I have saved this entire comment in my notes!!

bmeeks

@Technolust:
There are settings in the SYSTEM > ADVANCED > Firewall and NAT menu that let you customize the stateful reply timeout value. Normally this should be left at the default. But there may some older app or software on some IoT device that needs a longer state timeout. Luckily these days that is very rare.

You can always see the active states on the firewall under DIAGNOSTICS. There are a few menu choices there for viewing and/or clearing the state table.

Most states are closed automatically as part of the TCP session teardown. The only time this might not happen is if one side of the conversation just disappears and never sends any further traffic. That will result in the state eventually timing out and being closed. As long as the two sides of the session continue to send packets to each other, the state will remain "open".

One more thing, just to be clear. States apply specifically to just the two IP addresses that caused them to open. Just because there is a stateful reply session in place for rsync connections, that does not mean any other IP can hop onto or hijack the session. It is locked to just the two specific hosts (your internal LAN host and the specific external host IP your internal host started the converstation with).

JonathanLee

@Technolust are you running squid proxy?

Greenbone is the application with the dinosaur 🦖 we used that in cyber security class.

Technolust

@JonathanLee no I haven’t setup squid proxy yet. Something I’m looking to do but I don’t know enough about it. Gotta figure out Kali Purple…

Yeah Greenbone (dinosaur) is the application I’m trying to configure. It’s one of the first tools to setup in Kali Purple.