Page 1 of 3 123 LastLast
Results 1 to 10 of 29
  1. #1
    Untangler
    Join Date
    Nov 2018
    Posts
    35

    Default Unable to block ICMP from WAN

    Hi,
    I'm seeing a good amount of ICMP traffic from outside networks to internal machines (intrusion detection app).
    However, I have not been able to block it.
    1) I have set up a filter rule to block ICMP from any network that is not our internal network.
    2) I have disabled the Allow PING option in Access Rules.
    3) Send ICMP Redirects is still enabled.
    I've attached screenshots of the above in case they are helpful. What am I missing?
    TIA,
    Ari
    Attached Images Attached Images

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,541

    Default

    I would love to know what you did to enable that... because thanks to NAT alone public addresses cannot ping private ones.

    My first guess is you've got a very poorly configured port forward rule.

    That's why your block rule isn't working by the way, the actual target is one of your public addresses.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    On the Intrusion Prevention app Status tab, what setting do you have for "When to scan"?

    As for blocking, my habit is to use the Intrusion Prevention app itself to block anything objectionable I find in the Intrusion Prevention app reports. There isn't necessarily one approach to doing that, but currently it's always done using the Intrusion Prevention app's Signature tab and that tab's "Create Rule" feature.

    Let's step through one possible approach to creating a rule within the Intrusion Prevention app itslf. Let's note the Sid in the report—the Signature Identifier: 2100402. Then let's go back to the app and the Signatures tab. Let's create a filter: Signature Identifier = 2100402. That allow us to take a closer look at the signature that's generating the item in the report.

    The first thing that I'll need to know to craft a rule is the Recommended Action. In this particular case, the recommended action for a rule based on signature 2100402 is disable. Since I want to block the traffic, in this case I can't use the "Enable Block if Recommended is Enabled"—since recommended is disable. So I create my rule using the "Enable Block."

    Hopefully that's useful for future reference because I'm going to go down a different road in this specific case. I suspect your Filter Rule isn't working because on your system "When to scan" is set to "Before other Network Processing." If that's the case, then the traffic is probably already being dropped by NGFW. So, I would still create an Intrusion Prevention rule but the action I would select for my rule would be "Disable," the recommended action, so I wouldn't see it in the reports anymore.

    That all seems really complicated. Feel free to ask questions.

  4. #4
    Untangler
    Join Date
    Nov 2018
    Posts
    35

    Default

    Quote Originally Posted by sky-knight View Post
    I would love to know what you did to enable that... because thanks to NAT alone public addresses cannot ping private ones...My first guess is you've got a very poorly configured port forward rule...That's why your block rule isn't working by the way, the actual target is one of your public addresses.
    Interesting. The ICMP pings are going to:
    Home Theater PC (on wired lan)
    Our two wifi hotspots (unifi brand)
    A number of android phones (on the wifi)

    I've only set two port forward rules: one to allow WOL to our home theater PC and one to allow media streaming from our home theater PC. Both of those are (supposed to be) restricted to only the CIDR ranges for our cellphone carrier (so we can stream media from home to our cellphones).
    UPnP is enabled to allow the kids to play Xbox.
    I'll attach screenshots below.

    I would also be curious to know why this isn't being blocked already...and to correct it.
    Attached Images Attached Images
    Last edited by adoucette; 11-16-2020 at 07:39 AM.

  5. #5
    Untangler
    Join Date
    Nov 2018
    Posts
    35

    Default

    Quote Originally Posted by Sam Graf View Post
    On the Intrusion Prevention app Status tab, what setting do you have for "When to scan"?
    It was set to "After other network processing"

    Quote Originally Posted by Sam Graf View Post
    Let's create a filter: Signature Identifier = 2100402...I create my rule using the "Enable Block."
    ...
    That all seems really complicated. Feel free to ask questions.
    Your steps made it straightforward, thanks. I have created a IPS filter rule to block traffic matching that Signature Identifier. We'll see how it goes.

    Thanks.

  6. #6
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Quote Originally Posted by adoucette View Post
    It was set to "After other network processing"
    Well, that's not traffic I normally see so I guessed—wrong.

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    What do you use UPnP for?

    FullDisclosure: I do not trust China. I don't care if that bias is unacceptable. These are my opinions, and I don't represent any other entity.

    If this were my domain, I would not do what you are doing. I would treat that HTC server as a Trojan Horse right out of the box.
    That external IP address is in China. The ICMP traffic is probably the tip of the iceberg. Take a look at the sessions with that external IP address as a filter.

    Back to your NGFW configuration your port forward rules don't need the 192.168.10.0/24 part. Nothing inside of your network is going to send packets w/ those ports to NGFW. That part also won't block anything.

  8. #8
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Quote Originally Posted by Jim.Alles View Post
    The ICMP traffic is probably the tip of the iceberg.
    Probably, but this is a subject unto itself. My situation is entirely different, yet observe:

    Network-Top_Server_Countries-16.11.2020-1338-2.png

    You can see what I excluded from the chart to focus on the issue. I think I know where the traffic to China is coming from (apps, not hardware, associated with a well known and widely used American !=google company), and it's entirely possible that many of us have this traffic.

    Just saying that the iceberg is ginormous.

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Just saying that the iceberg is ginormous.
    There is no doubt all of us have legitimate traffic to Ireland, and many other countries.
    A thread starter:
    https://forums.untangle.com/off-topic/43908-foreign-countries-traffic.html#post247601
    Last edited by Jim.Alles; 11-16-2020 at 12:48 PM.

  10. #10
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    No doubt.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2