Results 1 to 2 of 2
  1. #1
    Newbie
    Join Date
    Jun 2019
    Posts
    2

    Thumbs up Blocking Access To Admin Interface - A solution

    This is more of a solution, but may help someone. I'm always happy to help the community.

    I have found a previous thread asking this exact question, and found the answer was correct and works, but a bit cryptic. The previous thread is closed, so I thought I would post how I solved the problem and try to explain it better for people who may be n00bs like I am. Hopefully it will help someone else in the future

    My use case:
    I have a fairly standard setup at home. 2 main subnets with untangle sitting between my "crap zone", and my "internal network".
    (internet) --> (VDSL modem) --> "192.168.2.x crap zone network" --> (untangle) --> "192.168.22.x internal network".
    I have a "guest wireless network" in the crap zone, and my normal wireless access point is behind untangle.
    Since I work in security and malware research is a hobby (yeah.. I'm a real nerd), I wanted a 3rd subnet where I could plug in machines that my have some very questionable software on them and be more assured that untangles attack surface is reduced.
    So... as mentioned in the previous thread "dmorris" indicated the use of the "Access Rules". I have fleshed out a bit how to do it below.

    How I did it:
    1 - Using a USB/ethernet adapter, created a 3rd subnet "172.16.60.x"
    2 - Under "Config --> Advanced --> Access Rules" added 2 new rules to block the following
    . A: Destination Port=443,80,53,179,5000 Source Address=172.16.60.0/24 Protocol=TCP
    . B: Destination Port=161,500,1900,5351 Source Address=172.16.60.0/24 Protocol=UDP

    3 - Rule A stops things I found with nmap on TCP. Rule B stops things I found with nmap on UDP
    4 - Push these rules to the TOP of the list. Be careful like dmorris says.
    5 - Under "Apps --> Firewall --> Rules" added a new rule to block the following rules
    . A: Source Address=172.16.60.0/24 Destination Address 192.168.0.0/16
    . B: Destination Address 172.16.60.0/24

    6 - Rule A stops nasty things on the 172.16.60.x network getting to my normal devices on 192.168.z.x. Rule B stops anything on my normal network accidentally connecting to the 172 stuff (even though NATs should stop that anyway).

    How I tested:
    1 - Cranked up a copy of Kali on the 172.16.60.x network
    2 - nmap 172.16.60.1 -Pn -p- -sU --top-ports 1500 --reason
    3 - nmap 172.16.60.1 --top-ports 1500 -sV --reason
    4 - No ports showing open... Winner.
    5 - DHCP still works. DNS lookups still work.

    Things to note:
    1. DNS is port 53... but it does not need a TCP connection to untangle to function. so you're DNS lookups will still work.
    2. This is will block access to the captive portals... so if you need that functionality you're out of luck.
    3. I only blocked what a quick nmap scan showed, and as such greatly reduced the attack surface.


    Disclaimer: I will admit I have been using Untangle for exactly 14 days... My trial ran out and I was impressed so I have just paid for it. So... feel free to chime in if you think I have anything wrong here, or missed something and I will correct it. I hope someone else will find this useful.
    For the admins: If you're trying to find out who I am... I had to use a different email address on the forums than my main signup email because my ISP was marking confirmation emails as spam

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,941

    Default

    This will also disable block pages from showing.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2