Firewall sometimes leaking

Firewall sometimes leaking

[Nick]

[-- Attachment #1: Type: text/plain, Size: 2022 bytes --]

My firewall leaks, sometimes.  I saw this behaviour with FireHOL and
tried Shorewall instead but it continues.  Advice in #shorewall on
freenode was that my shorewall configuration is valid.

The firewall has a rule to drop HTTP traffic if the source address is
in an ipset.  The ipset is maintained by fail2ban and created by
/etc/shorewall/init:

   ipset create f2b-http4 hash:ip family inet  comment timeout 2147483 -exist

This is on debian stable, uname -v prints "#1 SMP Debian
4.19.98-1+deb10u1 (2020-04-27)".  In debian's "alternatives" system,
iptables is symlinked to /usr/sbin/iptables-nft.

The rule is on line 66 in the attached 'iptables-save -c' output.  The
rule usually works but sometimes it doesn't.  An example occurrence
follows (times are in BST).

2020-05-02 16:23 last reboot.
2020-05-04 21:03 shorewall last restarted.
2020-05-04 21:13 fail2ban last restarted.
2020-05-05 10:02 I saved the contents of the ipset f2b-http4 to a file.
2020-05-06 04:22 the webserver logged a request from 193.118.53.194.
2020-05-06 04:22 fail2ban warned "193.118.53.194 already banned".

The address was in my saved file, before the request:

  # grep '193\.118\.53\.194' ~/f2b-http4-2020-05-05T10:02+01:00.txt 
  193.118.53.194 timeout 2101355 comment "wronghost"

The address was still in the ipset after the request:

  # date +%s && grep '193\.118\.53\.194' <(ipset list f2b-http4)
  1588750964
  193.118.53.194 timeout 2019727 comment "wronghost"

The decrement in the timeout (from 2101355 to 2019727) matches the
time elapsed from saving the file to checking the ipset:

  # date +%s --date="2020-05-05T10:02+01:00"
  1588669320
  # echo $((1588669320 + (2101355 - 2019727)))
  1588750948
  # echo $((1588750964 - 1588750948))
  16

i.e. they match to within 16s (my file timestamp has minute resolution).

I think the ip address was in the ipset f2b-http4 continuously before,
during and after the time of the http request.  Yet the address was
able to reach port 80 at 04:22 today.  How?

Thanks,
-- 
Nick

[-- Attachment #2: iptables-save.txt --]
[-- Type: text/plain, Size: 8363 bytes --]

     1	# Generated by xtables-save v1.8.2 on Wed May  6 10:44:54 2020
     2	*raw
     3	:PREROUTING ACCEPT [268704:22528984]
     4	:OUTPUT ACCEPT [16017:1501591]
     5	COMMIT
     6	# Completed on Wed May  6 10:44:54 2020
     7	# Generated by xtables-save v1.8.2 on Wed May  6 10:44:54 2020
     8	*nat
     9	:PREROUTING ACCEPT [254501:19507810]
    10	:INPUT ACCEPT [2822:293211]
    11	:POSTROUTING ACCEPT [9372:738643]
    12	:OUTPUT ACCEPT [9371:738603]
    13	COMMIT
    14	# Completed on Wed May  6 10:44:54 2020
    15	# Generated by xtables-save v1.8.2 on Wed May  6 10:44:54 2020
    16	*mangle
    17	:PREROUTING ACCEPT [268704:22528984]
    18	:INPUT ACCEPT [68313:9251380]
    19	:FORWARD ACCEPT [0:0]
    20	:OUTPUT ACCEPT [16017:1501591]
    21	:POSTROUTING ACCEPT [16017:1501591]
    22	[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
    23	COMMIT
    24	# Completed on Wed May  6 10:44:54 2020
    25	# Generated by xtables-save v1.8.2 on Wed May  6 10:44:54 2020
    26	*filter
    27	:INPUT DROP [0:0]
    28	:FORWARD DROP [0:0]
    29	:OUTPUT ACCEPT [16017:1501591]
    30	:dbl_log - [0:0]
    31	:logflags - [0:0]
    32	:net-fw - [0:0]
    33	:reject - [0:0]
    34	:smurflog - [0:0]
    35	:smurfs - [0:0]
    36	:tcpflags - [0:0]
    37	:~log0 - [0:0]
    38	:~log1 - [0:0]
    39	:~log2 - [0:0]
    40	:~log3 - [0:0]
    41	:~log4 - [0:0]
    42	:sha-lh-7d55c90e26beacf414af - [0:0]
    43	:sha-rh-f7dacd76c267f54cf185 - [0:0]
    44	:shorewall - [0:0]
    45	[68313:9251380] -A INPUT -i ens3 -j net-fw
    46	[0:0] -A INPUT -i lo -j ACCEPT
    47	[0:0] -A INPUT -m addrtype --dst-type BROADCAST -j DROP
    48	[0:0] -A INPUT -m addrtype --dst-type ANYCAST -j DROP
    49	[0:0] -A INPUT -m addrtype --dst-type MULTICAST -j DROP
    50	[0:0] -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "INPUT DROP "
    51	[0:0] -A INPUT -j DROP
    52	[0:0] -A FORWARD -m addrtype --dst-type BROADCAST -j DROP
    53	[0:0] -A FORWARD -m addrtype --dst-type ANYCAST -j DROP
    54	[0:0] -A FORWARD -m addrtype --dst-type MULTICAST -j DROP
    55	[0:0] -A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "FORWARD DROP "
    56	[0:0] -A FORWARD -j DROP
    57	[349:20132] -A dbl_log -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "dbl_log DROP black4 "
    58	[349:20132] -A dbl_log -j SET --add-set black4 src --exist --timeout 2147483
    59	[349:20132] -A dbl_log -j DROP
    60	[0:0] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "logflags DROP "
    61	[0:0] -A logflags -j DROP
    62	[349:20132] -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -m set --match-set black4 src -j dbl_log
    63	[56058:6853054] -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j smurfs
    64	[2309:757149] -A net-fw -p udp -m udp --dport 67:68 -j ACCEPT
    65	[39568:1840560] -A net-fw -p tcp -j tcpflags
    66	[372:20257] -A net-fw -p tcp -m tcp --dport 80 -m set --match-set f2b-http4 src -m comment --comment HTTP -g ~log0
    67	[687:35060] -A net-fw -p tcp -m tcp --dport 25 -m set --match-set f2b-smtp4 src -m comment --comment SMTP -g ~log1
    68	[11616:2362493] -A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    69	[375:16304] -A net-fw -p tcp -m conntrack --ctstate INVALID -j DROP
    70	[1425:117990] -A net-fw -p icmp -m icmp --icmp-type 8 -m comment --comment Ping -j ACCEPT
    71	[385:16548] -A net-fw -p tcp -m tcp --dport 25 -m hashlimit --hashlimit-upto 10/min --hashlimit-burst 15 --hashlimit-name c_smtp -m connlimit --connlimit-upto 3 --connlimit-mask 32 --connlimit-saddr -m comment --comment SMTP -j ACCEPT
    72	[1:40] -A net-fw -p tcp -m tcp --dport 25 -m comment --comment SMTP -g ~log2
    73	[0:0] -A net-fw -p tcp -m tcp --dport 22 -m set --match-set ssh4 src -m comment --comment SSH -j ACCEPT
    74	[505:22272] -A net-fw -p tcp -m tcp --dport 80 -m hashlimit --hashlimit-upto 20/min --hashlimit-burst 40 --hashlimit-mode srcip --hashlimit-name c_http -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 100 --hashlimit-mode dstip --hashlimit-name s_http -m connlimit --connlimit-upto 5 --connlimit-mask 32 --connlimit-saddr -m comment --comment HTTP -j ACCEPT
    75	[0:0] -A net-fw -p tcp -m tcp --dport 80 -m comment --comment HTTP -g ~log3
    76	[105:5216] -A net-fw -p tcp -m tcp --dport 443 -m hashlimit --hashlimit-upto 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name c_https -m hashlimit --hashlimit-upto 20/min --hashlimit-burst 40 --hashlimit-mode dstip --hashlimit-name s_https -m connlimit --connlimit-upto 2 --connlimit-mask 32 --connlimit-saddr -m comment --comment HTTPS -j ACCEPT
    77	[0:0] -A net-fw -p tcp -m tcp --dport 443 -m comment --comment HTTPS -g ~log4
    78	[14506:4267588] -A net-fw -m addrtype --dst-type BROADCAST -j DROP
    79	[0:0] -A net-fw -m addrtype --dst-type ANYCAST -j DROP
    80	[3:96] -A net-fw -m addrtype --dst-type MULTICAST -j DROP
    81	[30646:1367317] -A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "net-fw DROP "
    82	[35675:1610235] -A net-fw -j DROP
    83	[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
    84	[0:0] -A reject -s 224.0.0.0/4 -j DROP
    85	[0:0] -A reject -p igmp -j DROP
    86	[1:40] -A reject -p tcp -j REJECT --reject-with tcp-reset
    87	[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
    88	[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
    89	[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
    90	[0:0] -A smurflog -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j NFLOG --nflog-prefix  "smurfs DROP "
    91	[0:0] -A smurflog -j DROP
    92	[2290:751459] -A smurfs -s 0.0.0.0/32 -j RETURN
    93	[0:0] -A smurfs -m addrtype --src-type BROADCAST -g smurflog
    94	[0:0] -A smurfs -s 224.0.0.0/4 -g smurflog
    95	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags
    96	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags
    97	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
    98	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
    99	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
   100	[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
   101	[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags
   102	[370:20137] -A ~log0 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTP -j NFLOG --nflog-prefix  "net-fw DROP f2b-http4 "
   103	[372:20257] -A ~log0 -m comment --comment HTTP -j DROP
   104	[687:35060] -A ~log1 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment SMTP -j NFLOG --nflog-prefix  "net-fw DROP f2b-smtp4 "
   105	[687:35060] -A ~log1 -m comment --comment SMTP -j DROP
   106	[1:40] -A ~log2 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment SMTP -j NFLOG --nflog-prefix  "net-fw REJECT r8lim-smtp "
   107	[1:40] -A ~log2 -m comment --comment SMTP -j reject
   108	[0:0] -A ~log3 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTP -j NFLOG --nflog-prefix  "net-fw REJECT r8lim-http "
   109	[0:0] -A ~log3 -m comment --comment HTTP -j reject
   110	[0:0] -A ~log4 -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -m comment --comment HTTPS -j NFLOG --nflog-prefix  "net-fw REJECT r8lim-https "
   111	[0:0] -A ~log4 -m comment --comment HTTPS -j reject
   112	[0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource 
   113	COMMIT
   114	# Completed on Wed May  6 10:44:54 2020

Re: Firewall sometimes leaking

[Jozsef Kadlecsik]

Hi,

On Wed, 6 May 2020, Nick wrote:

> My firewall leaks, sometimes.  I saw this behaviour with FireHOL and
> tried Shorewall instead but it continues.  Advice in #shorewall on
> freenode was that my shorewall configuration is valid.
> 
> The firewall has a rule to drop HTTP traffic if the source address is
> in an ipset.  The ipset is maintained by fail2ban and created by
> /etc/shorewall/init:
> 
>    ipset create f2b-http4 hash:ip family inet  comment timeout 2147483 -exist
> 
> This is on debian stable, uname -v prints "#1 SMP Debian
> 4.19.98-1+deb10u1 (2020-04-27)".  In debian's "alternatives" system,
> iptables is symlinked to /usr/sbin/iptables-nft.
> 
> The rule is on line 66 in the attached 'iptables-save -c' output.  The
> rule usually works but sometimes it doesn't.  An example occurrence
> follows (times are in BST).

Maybe the fail2ban rule is applied both for http and https, while 
the rule with the ipset matching is http only?

Best regards,
Jozsef 

> 2020-05-02 16:23 last reboot.
> 2020-05-04 21:03 shorewall last restarted.
> 2020-05-04 21:13 fail2ban last restarted.
> 2020-05-05 10:02 I saved the contents of the ipset f2b-http4 to a file.
> 2020-05-06 04:22 the webserver logged a request from 193.118.53.194.
> 2020-05-06 04:22 fail2ban warned "193.118.53.194 already banned".
> 
> The address was in my saved file, before the request:
> 
>   # grep '193\.118\.53\.194' ~/f2b-http4-2020-05-05T10:02+01:00.txt 
>   193.118.53.194 timeout 2101355 comment "wronghost"
> 
> The address was still in the ipset after the request:
> 
>   # date +%s && grep '193\.118\.53\.194' <(ipset list f2b-http4)
>   1588750964
>   193.118.53.194 timeout 2019727 comment "wronghost"
> 
> The decrement in the timeout (from 2101355 to 2019727) matches the
> time elapsed from saving the file to checking the ipset:
> 
>   # date +%s --date="2020-05-05T10:02+01:00"
>   1588669320
>   # echo $((1588669320 + (2101355 - 2019727)))
>   1588750948
>   # echo $((1588750964 - 1588750948))
>   16
> 
> i.e. they match to within 16s (my file timestamp has minute resolution).
> 
> I think the ip address was in the ipset f2b-http4 continuously before,
> during and after the time of the http request.  Yet the address was
> able to reach port 80 at 04:22 today.  How?
> 
> Thanks,
> -- 
> Nick
> 

-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Firewall sometimes leaking

[Nick]

On 2020-05-06 15:31 BST, Jozsef Kadlecsik wrote:
> Maybe the fail2ban rule is applied both for http and https, while the
> rule with the ipset matching is http only?

The log file that fail2ban monitors is the log for http requests only.
No other service writes to that log.  The ipset is for http only.

I'm unclear about the import of your question though: by the time of the
http request at 04:22 fail2ban had done its thing and was no longer
involved.  fail2ban had put the address into the ipset but netfilter,
for reasons I don't understand, apparently ignored it.
-- 
Nick

Re: Firewall sometimes leaking [solved]

[Nick]

On 2020-05-06 15:57 BST, Nick wrote:
> On 2020-05-06 15:31 BST, Jozsef Kadlecsik wrote:
> > Maybe the fail2ban rule is applied both for http and https, while the
> > rule with the ipset matching is http only?
> 
> The log file that fail2ban monitors is the log for http requests only.
> No other service writes to that log.

I was mistaken.  Some https requests were in fact getting logged to the
same file as for http, and that was my trouble.  So this was not an
issue with netfilter but my misconfiguration of my web server.
-- 
Nick