Terrible bug with firewall
Posted: 01 May 2023, 23:02
Hello,
I just purchased and set up my F2-223 NAS, and I discovered a nasty bug upon adding a rule to open port 1701 for L2TP VPN. Upon saving, the NAS lost all service connectivity (Web GUI, SMB shares, even the ability to respond to ICMP requests). I rebooted the NAS, and that did not remedy the situation.
I was able to SSH into the NAS. I tested hitting the web ports via cURL, and the only thing I could hit was port 80, which did a 302 redirect to 8181. Port 8181 was NOT accessible via localhost using cURL. Restarting nginx did not resolve the issue.
I then inspected the iptables rules. This is the results:
I added a rule to the INPUT chain to allow all traffic from anywhere to anywhere, and I was able to access the NAS again, and ICMP requests responded as well. I went into the firewall settings via the GUI and removed the rule for port 1701, then listed the tables in iptables:
I then deleted my custom iptable rule, and all continued to work well. If I didn't have significant experience with Linux, I would have not been able to fix this issue. I wouldn't have even has access to reinitialize the NAS, resulting in a RMA. Can you please investigate the Terramaster firewall for bugs in order to prevent such an issue to happening again? Thank you
I just purchased and set up my F2-223 NAS, and I discovered a nasty bug upon adding a rule to open port 1701 for L2TP VPN. Upon saving, the NAS lost all service connectivity (Web GUI, SMB shares, even the ability to respond to ICMP requests). I rebooted the NAS, and that did not remedy the situation.
I was able to SSH into the NAS. I tested hitting the web ports via cURL, and the only thing I could hit was port 80, which did a 302 redirect to 8181. Port 8181 was NOT accessible via localhost using cURL. Restarting nginx did not resolve the issue.
I then inspected the iptables rules. This is the results:
Code: Select all
[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DOS_PROTECT all -- anywhere anywhere
INPUT_FIREWALL all -- anywhere anywhere
INPUT_PROTECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_FIREWALL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOS_PROTECT (1 references)
target prot opt source destination
Chain FORWARD_FIREWALL (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_FIREWALL (1 references)
target prot opt source destination
ACCEPT udp -- nas anywhere
ACCEPT tcp -- nas anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_PROTECT (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:telnet
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:telnetI added a rule to the INPUT chain to allow all traffic from anywhere to anywhere, and I was able to access the NAS again, and ICMP requests responded as well. I went into the firewall settings via the GUI and removed the rule for port 1701, then listed the tables in iptables:
Code: Select all
[<username>@nas ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DOS_PROTECT all -- anywhere anywhere
INPUT_FIREWALL all -- anywhere anywhere
INPUT_PROTECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
FORWARD_FIREWALL all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOS_PROTECT (1 references)
target prot opt source destination
Chain FORWARD_FIREWALL (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_FIREWALL (1 references)
target prot opt source destination
ACCEPT udp -- nas anywhere
ACCEPT tcp -- nas anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1701
ACCEPT udp -- anywhere anywhere udp dpt:1701
Chain INPUT_PROTECT (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:ssh
ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:telnet
ACCEPT tcp -- 10.4.1.2 anywhere tcp dpt:ssh