I am setting up ASL 4 on a new system to replace my old ASL3.0, and seem to run against a few firewall related issues. In the ASL config, i have enabled a set of TCP/UDP ports, and i was expecting that any other port would then be denied. However, access to denied (non listed) ports is still possible. I also cannot find the list of ports back in the iptables list:
--iptables -nL output-->
Chain INPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-WHITELIST all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ASL-GEO-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
ASL-BLACKLIST all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-BLACKLIST (2 references)
target prot opt source destination
Chain ASL-BLACKLIST-DROP-LOG (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-GEO-BLACKLIST (2 references)
target prot opt source destination
Chain ASL-GEO-BLACKLIST-LOG (0 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain ASL-WHITELIST (1 references)
target prot opt source destination
ASL-WHITELIST-LOG all -- xxx.xxx.xxx.xxx 0.0.0.0/0
ASL-WHITELIST-LOG all -- 127.0.0.1 0.0.0.0/0
ASL-WHITELIST-LOG all -- xxx.xxx.xxx.xxx 0.0.0.0/0
ASL-WHITELIST-LOG all -- 8.8.8.8 0.0.0.0/0
ASL-WHITELIST-LOG all -- 8.8.4.4 0.0.0.0/0
Chain ASL-WHITELIST-LOG (5 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
<--
When i try to manually reload the firewall using "asl --reload-firewall" i get:
-->
/var/asl/lib/firewall/icmp_echo_ignore: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_all: Operation not permitted
/var/asl/lib/firewall/icmp_echo_ignore_broadcasts: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/var/asl/lib/firewall/icmp_ignore_bogus_error_responses: line 11: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
/var/asl/lib/firewall/tcp_ecn: line 11: /proc/sys/net/ipv4/tcp_ecn: Operation not permitted
/var/asl/lib/firewall/tcp-timestamps: line 14: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/var/asl/lib/firewall/tcp_window_scaling: line 15: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
iptables-restore: line 10 failed
iptables-restore: line 10 failed
iptables-restore: line 8 failed
iptables-restore: line 5 failed
iptables-restore: line 8 failed
iptables-restore: line 24 failed
iptables-restore: line 6 failed
iptables-restore: line 28 failed
iptables-restore: line 594 failed
iptables-restore: line 29 failed
iptables-restore: line 370 failed
iptables-restore: line 1417 failed
iptables-restore: line 5997 failed
iptables-restore: line 658 failed
<--
The first few lines are probably kernel issues due to the fact that this is an openvz container.
Exporting the firewall rules leaves me with these contents of the firewall:
-->
*mangle
:PREROUTING ACCEPT [5835:1405383]
:INPUT ACCEPT [5835:1405383]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6185:2271640]
:POSTROUTING ACCEPT [6185:2271640]
COMMIT
# Completed on Sun May 4 20:25:39 2014
# Generated by iptables-save v1.4.7 on Sun May 4 20:25:39 2014
*filter
:INPUT ACCEPT [5358:1335376]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6185:2271640]
:ASL-BLACKLIST - [0:0]
:ASL-BLACKLIST-DROP-LOG - [0:0]
:ASL-GEO-BLACKLIST - [0:0]
:ASL-GEO-BLACKLIST-LOG - [0:0]
:ASL-WHITELIST - [0:0]
:ASL-WHITELIST-LOG - [0:0]
-A INPUT -j ASL-GEO-BLACKLIST
-A INPUT -j ASL-BLACKLIST
-A INPUT -j ASL-WHITELIST
-A OUTPUT -j ASL-GEO-BLACKLIST
-A OUTPUT -j ASL-BLACKLIST
-A ASL-BLACKLIST-DROP-LOG -j DROP
-A ASL-GEO-BLACKLIST-LOG -j DROP
-A ASL-WHITELIST -s xx.xx.xx.xx/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 127.0.0.1/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s xx.xx.xx.xx/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 8.8.8.8/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST -s 8.8.4.4/32 ! -i lo -j ASL-WHITELIST-LOG
-A ASL-WHITELIST-LOG -j ACCEPT
COMMIT
# Completed on Sun May 4 20:25:39 2014
# Generated by iptables-save v1.4.7 on Sun May 4 20:25:39 2014
*nat
:PREROUTING ACCEPT [38:1964]
:POSTROUTING ACCEPT [80:4866]
:OUTPUT ACCEPT [80:4866]
COMMIT
<--
Another issue is that the "quick rule add" using the advanced firewall system, returns error:
"iptables: No chain/target/match by that name."
In /var/log secure i see this at the same time:
"May 4 20:07:59 tyr sudo: tortix : TTY=unknown ; PWD=/var/asl/www ; USER=root ; COMMAND=/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 10000 -j DROP -m comment --comment webmin"
Manually trying to add that rule on the commandline throws the same error.
System details:
OS: CentOS 6.5x64
ASL: 4.0-10
CP: Webmin & Virtualmin
ASL 4 firewall issues
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL 4 firewall issues
So that looks like whatever kernel you are using doesnt support a lot of those firewall features, or the kernel modules just arent loaded. Is this in a virtual machine or bare iron?
If virtual, what virt tech is being used and if its a VPS what kernel is on the host box?
If bare iron (or non-VPS), what kernel is being used? And what kernel modules are loaded (lsmod).
If virtual, what virt tech is being used and if its a VPS what kernel is on the host box?
If bare iron (or non-VPS), what kernel is being used? And what kernel modules are loaded (lsmod).
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL 4 firewall issues
He mentioned OpenVZ container, so this will apply to Virtuozzo as well, which makes this a topic of interest to me 
This is indeed normal for OpenVZ/VZ.
I'm not running ASL4 so I don't know if there's an issue with anything else. ASL3 firewall works fine.
There is a Container parameter "numiptent" which limits the number of iptables entries you can have. It might be worth checking that's not an issue here.
Code: Select all
/var/asl/lib/firewall/icmp_echo_ignore: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_all: Operation not permitted
/var/asl/lib/firewall/icmp_echo_ignore_broadcasts: line 11: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts: Operation not permitted
/var/asl/lib/firewall/icmp_ignore_bogus_error_responses: line 11: /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses: Operation not permitted
/var/asl/lib/firewall/tcp_ecn: line 11: /proc/sys/net/ipv4/tcp_ecn: Operation not permitted
/var/asl/lib/firewall/tcp-timestamps: line 14: /proc/sys/net/ipv4/tcp_timestamps: Operation not permitted
/var/asl/lib/firewall/tcp_window_scaling: line 15: /proc/sys/net/ipv4/tcp_window_scaling: Operation not permitted
I'm not running ASL4 so I don't know if there's an issue with anything else. ASL3 firewall works fine.
There is a Container parameter "numiptent" which limits the number of iptables entries you can have. It might be worth checking that's not an issue here.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
Sempiterna
- Forum Regular
- Posts: 153
- Joined: Tue Jun 24, 2008 12:05 pm
Re: ASL 4 firewall issues
I opened a ticket for this as well, and it indeed turned out to be kernel modules that were not loaded. The ASL FAQ page holds a large list of kernel modules. I couldnt enable nearly all of them, but it seems to work now, though i may not be able to use all the features due to the modules that i couldnt load into the kernel.
My numiptent threshold is very high, so i probably won't be hitting that any time soon.
My numiptent threshold is very high, so i probably won't be hitting that any time soon.