Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Firebrick ‘self’ object question  (Read 748 times)

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Firebrick ‘self’ object question
« on: June 03, 2019, 12:20:40 PM »
I have made some mistakes in my firewalling setup with my Firebrick FB2700.

Originally I set all ‘permissions’-type rules around the DSL-WAN interface object, rules to stop bad stuff coming out of there. I later changed the entire thing to have rules protecting the IF-LAN object, aimed at preventing bad/unwanted stuff from entering into it. The reason was that I was suspicious of what happens during failover; stuff could start appearing from a new source-interface=<who knows what> and so wouldn’t be covered by the existing rules which block listed, named sources.

Perhaps I should have a catch-all rule that is the lowest priority, by being after all other rules, which blocks everything as an ‘otherwise’ drop rule. Can I do that ?

Anyway, with this second system, put the protection around the royal bed rather than at the castle gates, I discovered a weird problem. The LAN-facing admin IPv4 address of the Firebrick appears to be pingable from outside on the internet. Its address is eg 81.187.xxx.1 and that responds to pings generated by remote test pingers. However, other addresses in the LAN range 82.187.xxx.yyy/24, say e.g. 81.187.xxx.2 (sanity check: which is a valid host that responds to pings from inside the LAN) are not pingable, by design.

So even though xxx.1 the firebrick is numerically within the xxx.yyy/24 range defined as the IF-LAN object, it is as if that one address is excluded. A ‘block’ rule, which blocks pings to all of the range defined by dest=IF-LAN, seems not to apply to .1 (only), because a ping to .1 isn’t blocked, it seems. This would be explained if .1 is the Firebrick’s ‘self’ object - which it seems to be, established by experiment’ - but then is not a member of the IF-LAN object/24 range. Weird, if this is icrrect, it’s like a kind of override. Perhaps it’s some special behaviour designed to prevent you from locking yourself out.

I think I have to mention ‘self’ explicitly in the rules then where I mention IF-LAN, both as protected objects? I also need to have holes in the firewall for ‘self’ then, so that I can access it he Firebrick remotely (if on 4G, 9r if away from home) exactly the same as is currently set to guard IF-LAN?

The ‘overall block-unmentioned’ catchall rule idea mentioned before might take care of some of this anyway?

Is this guesswork about ‘self’ correct? And is the overall catch-all-unmentioned thing the right way to go?
Logged