I am almost completely convinced that the Untangle firewall just plain doesn't work as a firewall. I'm affraid my nerves are becoming quite tangled.

Please correct me if I'm wrong. I have narrowed it down to the following very simple setup and it just doesn't work. I'm wondering why this is so difficult...
http://norcaltouge.com/tangled1.jpg

When I run a port scan:

GRC Port Authority Report created on UTC: 2008-09-17 at 03:07:39

Results from scan of ports: 0-1055

3 Ports Open
1050 Ports Closed
3 Ports Stealth
---------------------
1056 Ports Tested

Ports found to be OPEN were: 22, 53, 90


So I've got SSH, DNS and my web server still wide open to the world.


Here are the rest of the pertinent settings:

http://norcaltouge.com/tangled2.jpg


I've tried setting the default policy to BLOCK and only allowing traffic from 192.168.0.0 to get out, with the exact same result.

What are you trying to do?
Block all incoming traffic?

Your port forwards aren't active so I can't see how they are working...

What IP are you port scanning?

What are you trying to do?
Block all incoming traffic?

Your port forwards aren't active so I can't see how they are working...

What IP are you port scanning?

I'm trying to block and log all incoming traffic except a few ports that I want to explicitly allow.

I'm scanning my own external IP of course, from an external host as well.

http://forums.untangle.com/showthread.php?t=2480

And if you want your firewall rules to work, you are REQUIRED to specify the client and server interfaces. At least one needs configured for the firewall to have a direction of traffic to control.

http://forums.untangle.com/showthread.php?t=2480

And if you want your firewall rules to work, you are REQUIRED to specify the client and server interfaces. At least one needs configured for the firewall to have a direction of traffic to control.

I remove all policies, set the default rule to BLOCK, and the ports are still left wide open.

In that particular case, it cuts off internal access to the Internet, but external hosts can still access my web server.

And yes, I've checked, the EXTERNAL/INTERNAL interfaces are the correct ones.

UT by default shows TCP 22 closed, TCP 443 open (management port you can change this), and that is it...

53 is not open on the outside unless you open it.. and I have no idea what is on 90...

I have 3 of these things in service and only ports that are open are the expected ones. I have run multiple scans myself. There is something with your configuration that has caused this...

Start with the packet filter.

I remove all policies, set the default rule to BLOCK, and the ports are still left wide open.

In that particular case, it cuts off internal access to the Internet, but external hosts can still access my web server.

And yes, I've checked, the EXTERNAL/INTERNAL interfaces are the correct ones.

Keep in mind that firewall only filters traffic that is actually going into your network.

Traffic to the external IP with no port forward is simply dropped, and traffic to the external IP's services (port 22, 443) will go directly to those services.

As sky-knight said. I have no idea whats up with 80/90. What port is your web server running on?

OK just to clarify.

22 is open because that's SSH - I don't really care about this port being open as I use SSH tunnelling into the network all the time.

90 is an Apache web server running on the same box as Untangle - I want to close this off, then use a port forward so that traffic hitting the external IP on port 80 will go to Apache on port 90. This also works when I enable the port forwarding rule.

Port 53 - obviously Untangle runs a DNS server, however under no circumstance do I want this to be open to the Internet.

I want all other ports to be stealthed - that is, packets sent to them should be silently dropped.

It sounds to me like the firewall only blocks connections that are destined for the internal LAN. This would make sense in bridge mode but makes no sense with my PPPoE setup.


Sure I'm doing NAT and all the internal hosts are "protected" but leaving the Untangle box itself wide open is not very useful as I'd like to use the server for more than a simple web gateway.



Here's what I've gathered and it still doesn't make any sense to me.

If I go to Packet Filter and enable "Block all local traffic" and then re-run my port scan, then all ports show up as blocked. At that point I cannot "poke a hole" regardless of any port forwards and/or firewall rules that I apply.

So at this point it's looking like an all or nothing proposition without any custom rule configuration that covers the Untangle box itself.

Ok, the firewall module only controls packets bound for an internal interface.. meaning TCP or UDP packets that are picked up on External and delivered to Internal, DMZ, whatever...

To do what you want to do you need to use the packet filter. This GUI interface configures IPTables directly and can control every little detail of what can pass into UT.

Config -> Networking -> Advanced -> Packet Filter

Thanks, I think that will do it. This whole time I thought the firewall rules I was manipulating WERE iptables rules. Unfortunate that I will lose logging though.

I suppose it's back to those lovely iptables config commands at the CLI :)

Yeah I assumed much the same.. I don't know what firewall is in use within the module but it most definitely isn't IPTables.

While you're in there you might as well understand another weakness to UT because if you're going to code your own chains you might just fix it for yourself...

You see, IPTables is part of the Kernel, it does all the bridging/routing and of course firewalling on that level. There is a point in time where IPTables is online and traffic is passing but the UT VM isn't loaded yet. During this time all the rules in the world in the Firewall modules simply mean jack. So for some secure environments you really have to watch those boot ups and shut downs.

It is a known issue in the works of resolution. I thought you would want to know about it.