Terrible bug with firewall

Permissions, domain/LDAP, power, security, notification and more.
Locked
User avatar
bretwashere
Posts: 8
Joined: 01 May 2023, 22:50

Terrible bug with firewall

Post by bretwashere »

Hello,

I just purchased and set up my F2-223 NAS, and I discovered a nasty bug upon adding a rule to open port 1701 for L2TP VPN. Upon saving, the NAS lost all service connectivity (Web GUI, SMB shares, even the ability to respond to ICMP requests). I rebooted the NAS, and that did not remedy the situation.

I was able to SSH into the NAS. I tested hitting the web ports via cURL, and the only thing I could hit was port 80, which did a 302 redirect to 8181. Port 8181 was NOT accessible via localhost using cURL. Restarting nginx did not resolve the issue.

I then inspected the iptables rules. This is the results:

Code: Select all

[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DOS_PROTECT  all  --  anywhere             anywhere            
INPUT_FIREWALL  all  --  anywhere             anywhere            
INPUT_PROTECT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
FORWARD_FIREWALL  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOS_PROTECT (1 references)
target     prot opt source               destination         

Chain FORWARD_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  nas                  anywhere            
ACCEPT     tcp  --  nas                  anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_PROTECT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:telnet
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:telnet
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet

I added a rule to the INPUT chain to allow all traffic from anywhere to anywhere, and I was able to access the NAS again, and ICMP requests responded as well. I went into the firewall settings via the GUI and removed the rule for port 1701, then listed the tables in iptables:

Code: Select all

[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DOS_PROTECT  all  --  anywhere             anywhere            
INPUT_FIREWALL  all  --  anywhere             anywhere            
INPUT_PROTECT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
FORWARD_FIREWALL  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOS_PROTECT (1 references)
target     prot opt source               destination         

Chain FORWARD_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  nas                  anywhere            
ACCEPT     tcp  --  nas                  anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_PROTECT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:telnet
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:ssh
I then deleted my custom iptable rule, and all continued to work well. If I didn't have significant experience with Linux, I would have not been able to fix this issue. I wouldn't have even has access to reinitialize the NAS, resulting in a RMA. Can you please investigate the Terramaster firewall for bugs in order to prevent such an issue to happening again? Thank you
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: Terrible bug with firewall

Post by TMroy »

I think you have set incorrect firewall rules so that you blocked your computer.
When you set DROP all IP sources and ACCEPT specific IPs, you need to include your computer's IP in the ACCEPT list.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
bretwashere
Posts: 8
Joined: 01 May 2023, 22:50

Re: Terrible bug with firewall

Post by bretwashere »

Hello,

The thing is…I didn’t set up any DROP rules via the firewall GUI. I simply had two rules, one to allow all inbound traffic, and a second rule to allow the L2TP port. As shown in my post, a firewall rule was created to drop all traffic, which I was able to remove via iptables.
User avatar
TMzethar
TerraMaster Team
Posts: 1128
Joined: 27 Oct 2020, 16:43

Re: Terrible bug with firewall

Post by TMzethar »

bretwashere wrote: 08 Jun 2023, 05:49 Hello,

The thing is…I didn’t set up any DROP rules via the firewall GUI. I simply had two rules, one to allow all inbound traffic, and a second rule to allow the L2TP port. As shown in my post, a firewall rule was created to drop all traffic, which I was able to remove via iptables.
TNAS defaults to allow all, when you set "allow" again, it will disable other not allowed.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
Gremlin
Posts: 433
Joined: 02 Dec 2022, 22:31
Great Britain

Re: Terrible bug with firewall

Post by Gremlin »

{L_BUTTON_AT}TMzethar

I think you need to include clear examples in the help section(s) and/or a clear tutorial because your
firewall rules do not necessarily follow users expectations. (eg compared to a router which would usually default to "deny all inbound"). Add to that the potential to enable "SECURITY Isolation mode" which could further confuse the issue. And maybe add something for REMOTE Access scenario and how that may impact firewall rules.
F5-221 5.1.123, 8GB System Partition on 3 x 4TB Traid; 3TB EXT4
F2-221 TOS6 (Beta), 8GB System Partition on 2 x 6TB in Traid.
User avatar
TMzethar
TerraMaster Team
Posts: 1128
Joined: 27 Oct 2020, 16:43

Re: Terrible bug with firewall

Post by TMzethar »

{L_BUTTON_AT}Gremlin

We will consider your suggestion.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
Gremlin
Posts: 433
Joined: 02 Dec 2022, 22:31
Great Britain

Re: Terrible bug with firewall

Post by Gremlin »

{L_BUTTON_AT}TMzethar

Thank you
F5-221 5.1.123, 8GB System Partition on 3 x 4TB Traid; 3TB EXT4
F2-221 TOS6 (Beta), 8GB System Partition on 2 x 6TB in Traid.
Locked