Results 1 to 4 of 4
  1. #1
    lug
    lug is offline
    Newbie lug's Avatar
    Join Date
    Jan 2019
    Posts
    5

    Default GPL RPC portmap mountd request UDP false positive

    Hi,

    I installed the Intrusion Prevention App, but for some reason it blocks my PC trying to conenct to my nas.

    My PC has the IP 192.168.100.15
    My NAS has the IP 192.168.100.3

    And for some reason the app blocks my PC trying to connect to my NAS, and the way it detects it is quite strange:



    So windows explorer is loading for ~1 minute, and after some time it can mount every network share, but they are all of my NAS, with the .3 IP, I don't know why it says destionation ip 192.168.100.1 (which is my untangle box) and why this rule even activates, because if I look into the rule, it says
    Code:
    alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP";content:"|00 01 86 A0|";depth:4;offset:12;content:"|00 00 00 03|";within:4;distance:4;byte_jump:4,4,relative,align;byte_jump:4,4,relative,align;content:"|00 01 86 A5|";within:4;content:"|00 00 00 00|";depth:4;offset:4;reference:arachnids,13;classtype:rpc-portmap-decode;sid:2100579;rev:9;metadata:created_at 2010_09_23, updated_at 2010_09_23;;gid:1)
    So as far as I understand, this rule should only apply to access from external network, like public IPs which try to connect to my untangle on port 111, if it would be exposed to the internet.

    So why in the world does this rule blocks my PC trying to connect to my NAS, which are both connected to an internal interface?
    The PC is connected to Internal Interface A, NAS is connected to Internal Interface B, which is bridged from A.

    much thanks in advance
    lug

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,171

    Default

    There is no "external", Untangle processes traffic that passes through it. So if that NAS is on one port, and your desktop is on another, it's going to be filtered.

    You don't want it filtered? That's why we have bypass rules.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    lug
    lug is offline
    Newbie lug's Avatar
    Join Date
    Jan 2019
    Posts
    5

    Default

    Okay, but if I just bypass that, the intrusion prevention would'nt work the way it's supposed to do, or do I think that wrong?
    I mean I want to allow portmap with my NAS as destitionation, because it has to use port 111 for smb shares..

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,171

    Default

    Intrusion Prevention is for external threats targeting internal servers, all of Untangle's defenses are basically for this purpose. Running them to protect an internal device from internal threats is going to be annoying, and problematic. Use policy manager to direct LAN traffic into a dedicated rack with nothing but the firewall in it, use that to limit access to specific devices.

    To put it another way, Untangle is designed to be at the edge of your network, you've put it in your core... there be dragons here.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2