Firewall RP- basic question

comandos · October 4, 2018, 2:09pm

Greetings,
Really basic question here :oops:
I have a RP-B running raspbian-stretch-lite, on it I was running a news BOT for almost 2 years just fine, but we had to change or ISP modem(-> cisco epc3928s) now the firewall prevents my BOT from working properly. During my trouble shooting, I turned off the firewall completely and all the news came rushing in BUT I couldn’t ping a single web site which is confusing for me. So I rearmed the firewall and restarted my BOT with the task of finding the blocked port’s needed.

So my question now is why do I get the following output if I write “ifconfig” on my RP

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 ether b8:27:eb:5b:6e:70 txqueuelen 1000 (Ethernet) RX packets 451 bytes 35133 (34.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 386 bytes 57932 (56.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

And not something like this example bellow?

eth0 Link encap:Ethernet HWaddr 09:00:12:90:e3:e5 inet addr:192.168.1.29 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe70:e3f5/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:54071 errors:1 dropped:0 overruns:0 frame:0 TX packets:48515 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:22009423 (20.9 MiB) TX bytes:25690847 (24.5 MiB) Interrupt:10 Base address:0xd020

“sudo netstat –lptu” returns

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      489/sshd
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      489/sshd
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                           474/dhcpcd
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           307/avahi-daemon: r
udp        0      0 0.0.0.0:51497           0.0.0.0:*                           307/avahi-daemon: r
udp6       0      0 [::]:mdns               [::]:*                              307/avahi-daemon: r
udp6       0      0 [::]:56058              [::]:*                              307/avahi-daemon: r

But I honestly don’t know if this output is correct or not.
Pinging myself(RP) works but pinging anything else results in 100% packet loss and the BOT is still out.

traceroute to www.google.com (172.217.19.100), 30 hops max, 60 byte packets 1 192.168.1.1 (192.168.1.1) 0.548 ms 0.439 ms 0.574 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * *
Traceroute makes 1 hop then dies indicating that I am still blocked by the firewall but what port is blocked ?

oO.o · October 4, 2018, 2:51pm

Firewalls don’t typically block outgoing traffic, especially by default. If ping/traceroute isn’t going through, then ICMP is being blocked, but blocking all outgoing pings would be insane, so I suspect something else is happening.

Is there any sort of IPS configured on the firewall? Are other computers able to ping through the firewall?

comandos · October 4, 2018, 3:35pm

Sorry for the delay
Just tried pinging from my personal computer and my fathers which is connected to a different router, but both are running Win 10 and in both cases pinging google.com has given me a request timeout
Attaching a printscreen of my firewall settings

The funny thing is that webpages load normally and nobody In the house complained yet that they can’t do something exempt me (torrenting and my BOT)

VeryZ · October 4, 2018, 8:28pm

No great lightbulb moment, but :-

Firewalls can and do block outgoing traffic; it may be rare in the soho space but it is standard best practice in the enterprise space.
Ping and web use two entirely different protocols; when you’re using ping you’re testing ping not web. In fact ping any web server I firewall and you won’t get an answer. You may want to try something like: sudo nping --tcp -p 80 some.web.site; however that carries the risk of bumping into a different sort of firewall protection - blocking those who send too many SYNs without following through with the rest of the traffic.
Can’t see anything obvious with the ifconfig outputs although for some reason the first lacks the link-local IPv6 address.
Firewall gooey: The list of allowed services doesn’t include ICMP (which might explain why the pings don’t work and web does); it also implies this is a default deny firewall. I’d also try turning off each checkbox in turn and testing afterwards (and turn it back on again afterwards if it isn’t “the problem”). I’d also look at changing that SPI drop-down and testing too.

comandos · October 4, 2018, 8:47pm

1 and 2 – good to know, but I have to google what nping dose before running it, give me a minute or two please
3) IPv6 was disabled by me, when I setted up the RP in the beginning by adding the following to in »/etc/sysctl.conf«

#blokiranje ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

then running ->sysctl –p

I will test again now

comandos · October 4, 2018, 11:41pm

Ok I have tested all of the proposed scenarios and am attaching the following files:

Excel file with the results gathered by running traceroute/ping/nping with my RP and Win 10 machine
Layout of my setup – if it helps
Additional information about my modem (everything else should be stock)
• I tried opening ports that are used for Outgoing Mail (SMTP) Server, but wasn’t sure witch setting to set so I did both.

To me it looks like RP can’t connect to the internet when the firewall is on and dose can’t sent the news, what I don’t understand is how if both port 80 and 443 are open. Additionally I have tried searching for the BOT process and opening it’s port if needed.

Sorry for rambling, that’s it from me, either I haven’t opened the necessary port for email to be sent (gmail smtp) or my bot is broken xD

Good night and thank you all for the help.

https://imgur.com/a/E5ypLYq <- all images combined

bellow so you can see the names- not the best way of doing a post I apologize.

comandos · October 6, 2018, 9:55am

Anyone?

VeryZ · October 6, 2018, 10:53am

So if I understand things correctly, it more or less works when you turn down the firewall protection (SPI). Apparently “SPI” is a new fangled name for ‘stateful inspection’ or what I would call a ‘last generation firewall’ (but I’m more used to the enterprise space).

I wouldn’t worry too much about the traceroutes not working - it’s real use is for diagnosing routing issues. Just to add to the confusion, Windows traceroute works differently to Linux traceroute (by default).

The only thing I can think of is perhaps your firewall’s SPI is buggy and something about your RP is triggering that. Check if there any updates and go over the documentation.

Of course I might be missing something - my brain isn’t working properly today (it’s distracted by Fresher’s flu).

comandos · October 6, 2018, 12:05pm

Yes that’s right, if I turn off the firewall protection “everything” works.
I checked but didn’t find any update out there o well

Thank you all for your help, last question if I may did I setup port forwarding correctly ?

P.S get well soon

VeryZ · October 6, 2018, 2:57pm

It looks okay.

Do you really need SMTPS on tcp/465? I would have thought by now the only mail clients still needing that should have a stake driven through their hearts - it’s been deprecated since before I started playing with firewalls (which is close to 20 years ago).

comandos · October 6, 2018, 4:38pm

A ok thank you.
Good to know, probably I have read something wrong I have disabled it for now.

Really appreciate the help and thank you again.
Can I mark a topic as “completed/solved”?