Page 1 of 1

Terrible bug with firewall

Posted: 01 May 2023, 23:02
by bretwashere
Hello,

I just purchased and set up my F2-223 NAS, and I discovered a nasty bug upon adding a rule to open port 1701 for L2TP VPN. Upon saving, the NAS lost all service connectivity (Web GUI, SMB shares, even the ability to respond to ICMP requests). I rebooted the NAS, and that did not remedy the situation.

I was able to SSH into the NAS. I tested hitting the web ports via cURL, and the only thing I could hit was port 80, which did a 302 redirect to 8181. Port 8181 was NOT accessible via localhost using cURL. Restarting nginx did not resolve the issue.

I then inspected the iptables rules. This is the results:

Code: Select all

[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DOS_PROTECT  all  --  anywhere             anywhere            
INPUT_FIREWALL  all  --  anywhere             anywhere            
INPUT_PROTECT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
FORWARD_FIREWALL  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOS_PROTECT (1 references)
target     prot opt source               destination         

Chain FORWARD_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  nas                  anywhere            
ACCEPT     tcp  --  nas                  anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_PROTECT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:telnet
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:telnet
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet

I added a rule to the INPUT chain to allow all traffic from anywhere to anywhere, and I was able to access the NAS again, and ICMP requests responded as well. I went into the firewall settings via the GUI and removed the rule for port 1701, then listed the tables in iptables:

Code: Select all

[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DOS_PROTECT  all  --  anywhere             anywhere            
INPUT_FIREWALL  all  --  anywhere             anywhere            
INPUT_PROTECT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         
FORWARD_FIREWALL  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOS_PROTECT (1 references)
target     prot opt source               destination         

Chain FORWARD_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_FIREWALL (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  nas                  anywhere            
ACCEPT     tcp  --  nas                  anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:1701
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1701

Chain INPUT_PROTECT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:ssh
ACCEPT     tcp  --  10.0.0.0/8           anywhere             tcp dpt:telnet
ACCEPT     tcp  --  10.4.1.2             anywhere             tcp dpt:ssh
I then deleted my custom iptable rule, and all continued to work well. If I didn't have significant experience with Linux, I would have not been able to fix this issue. I wouldn't have even has access to reinitialize the NAS, resulting in a RMA. Can you please investigate the Terramaster firewall for bugs in order to prevent such an issue to happening again? Thank you

Re: Terrible bug with firewall

Posted: 02 May 2023, 12:19
by TMroy
I think you have set incorrect firewall rules so that you blocked your computer.
When you set DROP all IP sources and ACCEPT specific IPs, you need to include your computer's IP in the ACCEPT list.

Re: Terrible bug with firewall

Posted: 08 Jun 2023, 05:49
by bretwashere
Hello,

The thing is…I didn’t set up any DROP rules via the firewall GUI. I simply had two rules, one to allow all inbound traffic, and a second rule to allow the L2TP port. As shown in my post, a firewall rule was created to drop all traffic, which I was able to remove via iptables.

Re: Terrible bug with firewall

Posted: 08 Jun 2023, 18:06
by TMzethar
bretwashere wrote: 08 Jun 2023, 05:49 Hello,

The thing is…I didn’t set up any DROP rules via the firewall GUI. I simply had two rules, one to allow all inbound traffic, and a second rule to allow the L2TP port. As shown in my post, a firewall rule was created to drop all traffic, which I was able to remove via iptables.
TNAS defaults to allow all, when you set "allow" again, it will disable other not allowed.

Re: Terrible bug with firewall

Posted: 08 Jun 2023, 18:57
by Gremlin
{L_BUTTON_AT}TMzethar

I think you need to include clear examples in the help section(s) and/or a clear tutorial because your
firewall rules do not necessarily follow users expectations. (eg compared to a router which would usually default to "deny all inbound"). Add to that the potential to enable "SECURITY Isolation mode" which could further confuse the issue. And maybe add something for REMOTE Access scenario and how that may impact firewall rules.

Re: Terrible bug with firewall

Posted: 09 Jun 2023, 10:10
by TMzethar
{L_BUTTON_AT}Gremlin

We will consider your suggestion.

Re: Terrible bug with firewall

Posted: 09 Jun 2023, 17:03
by Gremlin
{L_BUTTON_AT}TMzethar

Thank you