Hi, I am evaluating ClearOS in a Multi-WAN config.
ClearOS iso: ClearOS-DVD-x86_64.iso
SHA256: b14201b3f62c875bef3e34062c6a3595dd9e8c57099902f9e92efbce728d609a
SHA1: 0d565c57e1343333945598921ecdc322181b22b3
MD5: eca0c2b745fe3ceef93e0278be681fb7
When at least one link is online there are firewall rules visible when I run iptables-save on the firewall.
But the ClearOS firewall rules appear to be cleared whenever both WAN links go off-line. This results in an insecure OPEN/ACCEPT state.
External attackers can ping and connect to my internal hosts if they know the internal IPs.
I have tested it in this configuration:
Internal Client-> eth0-ClearOS
ClearOS-eth1->WAN1->WAN4->Internet
ClearOS-eth2 ->WAN2->WAN3->Internet
ip forwarding enabled on WAN1 and WAN2
ip forwarding disabled on WAN4 and WAN3 to force both links offline
From WAN4 I can ping and make connections to the Internal Client.
This is an insecure behavior for a firewall.
Example output of iptables-save when both WAN links go offline:
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*nat
:PREROUTING ACCEPT [40636:5341715]
:INPUT ACCEPT [3718:407234]
:OUTPUT ACCEPT [3985:280750]
:POSTROUTING ACCEPT [4786:335856]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*mangle
:PREROUTING ACCEPT [88050:9410893]
:INPUT ACCEPT [21621:2582293]
:FORWARD ACCEPT [30312:1949225]
:OUTPUT ACCEPT [10330:2402776]
:POSTROUTING ACCEPT [40648:4354069]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*filter
:INPUT ACCEPT [21621:2582293]
:FORWARD ACCEPT [30312:1949225]
:OUTPUT ACCEPT [10330:2402776]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
ClearOS iso: ClearOS-DVD-x86_64.iso
SHA256: b14201b3f62c875bef3e34062c6a3595dd9e8c57099902f9e92efbce728d609a
SHA1: 0d565c57e1343333945598921ecdc322181b22b3
MD5: eca0c2b745fe3ceef93e0278be681fb7
When at least one link is online there are firewall rules visible when I run iptables-save on the firewall.
But the ClearOS firewall rules appear to be cleared whenever both WAN links go off-line. This results in an insecure OPEN/ACCEPT state.
External attackers can ping and connect to my internal hosts if they know the internal IPs.
I have tested it in this configuration:
Internal Client-> eth0-ClearOS
ClearOS-eth1->WAN1->WAN4->Internet
ClearOS-eth2 ->WAN2->WAN3->Internet
ip forwarding enabled on WAN1 and WAN2
ip forwarding disabled on WAN4 and WAN3 to force both links offline
From WAN4 I can ping and make connections to the Internal Client.
This is an insecure behavior for a firewall.
Example output of iptables-save when both WAN links go offline:
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*nat
:PREROUTING ACCEPT [40636:5341715]
:INPUT ACCEPT [3718:407234]
:OUTPUT ACCEPT [3985:280750]
:POSTROUTING ACCEPT [4786:335856]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*mangle
:PREROUTING ACCEPT [88050:9410893]
:INPUT ACCEPT [21621:2582293]
:FORWARD ACCEPT [30312:1949225]
:OUTPUT ACCEPT [10330:2402776]
:POSTROUTING ACCEPT [40648:4354069]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
# Generated by iptables-save v1.4.21 on Wed Oct 4 13:26:49 2017
*filter
:INPUT ACCEPT [21621:2582293]
:FORWARD ACCEPT [30312:1949225]
:OUTPUT ACCEPT [10330:2402776]
COMMIT
# Completed on Wed Oct 4 13:26:49 2017
In Firewall
Share this post:
Responses (4)
-
Accepted Answer
The ClearOS firewall operation is probably very different from what you may imagine, and when I last looked, it restarts quite frequently on its own. It will restart every time the WAN IP changes; if you change a firewall rule, I think it restarts (especially if you delete one); network changes force a restart; it restarted 9 times during the upgrade to 7.4 beta; it restarts if you edit /etc/clearos/firewall.d/local and so on. I would have thought it would be very difficult to change the behaviour because of the way it is integrated into so many functions. Also, for what it is worth, it does not use the iptables-save command! -
Accepted Answer
A WAN link/gateway can appear offline to ClearOS while the WAN devices are still online.
As already mentioned WAN3 and WAN4 stop ClearOS's WAN status checks from succeeding but WAN3 and WAN4 remain up.
I suspect there's no need to completely turn off packet forwarding to prevent the WAN status checks from succeeding, you just have to block the status check traffic while letting other traffic through.
The main questions are:
1) Why are my ClearOS firewall rules being cleared in such a scenario? The rules are restored whenever ClearOS thinks at least one link is up. So why even clear them?
2) How do I prevent ClearOS from clearing the firewall rules in such scenarios while allowing ClearOS to function well enough as a Multi-WAN firewall and load balancer? -
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »