Dnsmasq with pppoe on wan appears to bypass firewall



  • I've got a setup as follows:
    ADSL (bridge ) –- (pppoe) WAN pfsense LAN

    I've had several high traffic attacks with what looks like some sort of DDOS via DNS
    Initially I tried a specific block and log rule on the WAN for any incoming tcp/udp traffic to the WAN (pppoe) IP address at port 53. It didn't make any difference as far as I could see nor where there any firewall log entries. Packet capture on the WAN showed incoming and outgoing DNS requests.

    I couldn't see why the firewall rule didn't appear to make any difference or block any traffic.
    After trying various options I then tried to exclude the hardware LAN port from the dnsmasq config with no success. The option appears to have taken but didn't make any difference to the actual DNS traffic.
    I then tried the option of excluding the pppoe interface ( except-interface=pppoe0 ) and this stopped the DNS outgoing traffic.
    I've tested from the LAN side and all appears to still be working as expected.

    It appears that dnsmasq was binding to the pppoe interface but the firewall rules were being applied to the actual hardware WAN interface.
    ie:
    ADSL (bridge ) --- hardware interface -- (pppoe with dnsmasq binding here) -- WAN ( firewall applied here ) -- pfsense LAN

    I'm confused as I wouldn't expect to see any service binding outside the firewall. Is this an issue and/or have I misconfigured something?
    Rod


  • Rebel Alliance Developer Netgate

    Your original WAN rules must have been too permissive, and allowed the traffic. Then, once you added the block rule, if the attacking IPs didn't change, the state table would have been letting them through. The block rule wouldn't log unless you manually set it to log, and it would also need to be above any other pass rule that might be allowing the traffic.

    After adjusting the rules you'll need to clear the state table (Diag > States, Reset States) and then things should be blocked.



  • Must be something else I'm doing wrong then. I've enabled logging, moved the block rule as far up the WAN rules as I can and cleared the state table. Also tried numerous reboots whilst I have been playing.

    Why does dnsmasq only stop emitting if I exclude pppoe and not the hardware interface.
    I'm more than happy to post up logs/configs to see what is happening.


  • Rebel Alliance Developer Netgate

    Maybe you have a pass rule on the floating tab? The traffic wouldn't be getting through unless you had a rule somewhere letting it through.

    Showing /tmp/rules.debug may help.



  • Bingo  ::) it was being passed by a floating rule.

    Now I need to rework my traffic shaper rules to only pickup what is intended.
    thanks


  • Rebel Alliance Developer Netgate

    traffic shaping rules can use the queue/match action – that does not pass or block, it only queues traffic.



  • Brilliant. That's the ( so far ) bit I missed with floating queue rules.


Locked