dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2187
share rss forum feed

mudtoe

join:2005-10-09
Cincinnati, OH

2 edits

Zywall 110 Firewall Rules

Hi folks:

Has anyone had an issue with the Zywall 110 firewall rules? I just set one up and found that a rule to block SMTP traffic from IPSec_VPN to WAN was being tripped for traffic coming from LAN1. I had three rules setup regarding SMTP, one to allow SMTP for certain IP addresses coming from LAN1 and two rules to block the rest, one from LAN1 to WAN and the other from ISPEC_VPN to WAN. I had the IPSEC_VPN to WAN block rule before the one to allow certain IP addresses from LAN1 to use SMTP, but I don't understand why that rule was tripped for a LAN1 IP address. Of course I fixed it by moving the LAN1 allow rule ahead of the IPSEC_VPN block rule, but I consider that a circumvention rather than a fix.

Has anyone experienced issues with the Zywall getting confused about which zone an IP address is in?

P.S. Does anyone know how I can map the the ports from SNMP to the ports listed on the Zywall? In the SNMP messages the Zywall is using the unix names (e.g. eth0, eth3, eth_base, etc.) and I can't find a way to convert them to either WAN, LAN1, DMZ, or to the port names on the unit (P1-P7). Some of the usage data is very similar between the various eth ports in the SNMP data, so I'm not 100% certain which one represents WAN1 (or P1), which is the one I want to use. Logically it should be eth0, but eth3 and eth3_base also have very similar data.


gb5102

join:2003-10-07
Saint Paul, MN
kudos:2

Never run into any issues with the firewall that weren't caused by myself!

An IPSEC_VPN-to-WAN rule definitely should not affect any packets traveling from LAN1-to-WAN, that would be a pretty serious bug. I cant think of any reason for this...

What f/w version are you running?
Would it be possible to post a screenshot of your firewall? (or the output of 'show firewall')

As far as SNMP, I would think they would match up(eth0=p1, eth1=p2,,,) but that is definitely just a theory...may want to ask ZyXEL or maybe an expert here will chime in with an answer. Does the below info pulled from my 110 help you?

Router# show interface-name
No. System Name User Defined Name
===========================
1 ge1 wan1
2 ge2 wan2
3 ge3 opt
4 ge4 lan1
5 ge5 lan2
6 ge6 ext-wlan
7 ge7 dmz



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to mudtoe

Probably good idea to post fw rules and associated policy routes, maybe something we can see? and Zones page.


mudtoe

join:2005-10-09
Cincinnati, OH
reply to gb5102

Here are the relevant sections of the config file:

interface lan1
ip address 172.26.254.254 255.255.0.0
ip dhcp-pool LAN1_POOL
type internal
upstream 1048576
downstream 1048576
mtu 1500
description Local LAN
 
object-group address SMTPAllow
description Allowed to Email
address-object SBS2008
address-object VMCOMM
address-object Zywall
address-object Dell2970DRAC
 
zone IPSec_VPN
crypto Default_L2TP_VPN_Connection
crypto MWD_Backup_Site
crypto SRWNET_Naples_MainSubnet
crypto SRWNET_Naples_WirelessSubnet
crypto SRWNET_Subnet2_Naples_Wireless
crypto MWDCincinnati
crypto ParentsHouse
 
 
firewall 3
from IPSec_VPN
to WAN
action deny
description Block SMTP
service SMTP
log
 
 firewall 6
from LAN1
action allow
description AllowSMTP
to WAN
sourceip SMTPAllow
service SMTP
 
firewall 7
from LAN1
action reject
description Block SMTP
to WAN
service SMTP
log
 
 
address-object LAN1_SUBNET interface-subnet lan1
address-object LAN2_SUBNET interface-subnet lan2
address-object EXT_WLAN_SUBNET interface-subnet ext-wlan
address-object DMZ_SUBNET interface-subnet dmz
address-object IP6to4-Relay 192.88.99.1
address-object LH_Subnet 172.26.0.0/16
address-object Parents_Subnet 172.24.111.0/24
address-object Naples_Subnet 172.24.222.0/24
address-object NoInternetAccessRange 172.26.159.0-172.26.159.255
address-object Slingbox1 172.26.179.57
address-object VMCOMM 172.26.188.254
address-object SBS2008 172.26.253.253
address-object Zywall 172.26.254.254
address-object ReplayTV 172.26.179.247
address-object Crestron 172.26.179.197
address-object ESXi 172.26.253.154
address-object VCenterServer 172.26.199.212
address-object MWD_BackupSite 172.25.145.128/25
address-object Naples_Subnet_2 172.24.220.0/22
address-object Naples_Subnet_3 172.24.99.0/24
address-object LH_Subnet_2 172.24.26.0/24
address-object MWDOffice 172.25.144.0/24
address-object Dell2970DRAC 172.26.253.54
address-object SSLVPNRange1 172.26.22.1-172.26.22.32
address-object SSLVPNRange2 172.26.22.33-172.26.22.64
!
 


I had to move firewall rule 3 below firewall rule 6 to make it work.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Perhaps if a PC is on LAN1, regardless of communiction path (unsercure LAn to WAn, or secure vpn TO WAN) since its the lan1 zone the FW rules applies??????


mudtoe

join:2005-10-09
Cincinnati, OH

The only problem with that reasoning is that the LAN1 subnet isn't listed in IPSEC_VPN zone definition, unless somehow by default Default_L2TP_VPN_Connection is the LAN1 subnet. I can't find an exact definition of that variable in the config file, so I'm assuming it's derived or implied somehow.

I sent an email to Zyxel support a couple of days ago, describing the problem and including this same portion of the config file, but I haven't heard back yet.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

Can you post all your rules? (a screenshot from GUI would suffice).
What is your default (last) rule set to? Allow or deny?


mudtoe

join:2005-10-09
Cincinnati, OH

I've fixed the problem and made some other changes since this issue surfaced, but I downloaded the config file as of the time of the problem, so I'll have to post the rules from the config file. As I noted earlier I didn't expect rules from one zone to interact in any way with another, so while the order is correct within a zone, the choice of which zone's rules came first was merely a result of how I entered them. Here are all the firewall rules:

firewall 1
 from WAN
 action allow
 description SBS2008 Apps
 to LAN1
 service SBS2008_Apps
!
firewall 2
 from IPSec_VPN
 action deny
 description Block NetBios
 to WAN
 service NetBIOS
!
firewall 3
 from IPSec_VPN
 to WAN
 action deny
 description Block SMTP
 service SMTP
 log
!
firewall 4
 from IPSec_VPN
 to WAN
 action allow
 description Allow All
!
firewall 5
 from LAN1
 action deny
 description Block NETBIOS
 to WAN
 service NetBIOS
!
firewall 6
 from LAN1
 action allow
 description AllowSMTP
 to WAN
 sourceip SMTPAllow
 service SMTP
!
firewall 7
 from LAN1
 action reject
 description Block SMTP
 to WAN
 service SMTP
 log
!
firewall 8
 from LAN1
 to WAN
 action deny
 description Block Range
 sourceip NoInternetAccessRange
 log
!
firewall 9
 from WAN
 to LAN1
 action allow
 description ReplayTV
 destinationip ReplayTV
 service ReplayTV
 log
!
firewall 10
 from WAN
 to LAN1
 action deny
 service Default_Allow_DMZ_To_ZyWALL
 description Block 172_126_159/24
 destinationip NoInternetAccessRange
 log
!
firewall 11
 from WAN
 to LAN1
 service Slingbox
 action allow
 description External Slingbox
 destinationip Slingbox1
!
firewall 12
 from WAN
 to LAN1
 service VMCOMM
 action allow
 destinationip VMCOMM
 log
!
firewall 13
 from WAN
 to LAN1
 action allow
 description Zywall Mgt
 destinationip Zywall
 service ZywallMgt
!
firewall 14
 from WAN
 to LAN1
 action allow
 destinationip Crestron
 service Crestron
 log
!
firewall 15
 from LAN1
 to ZyWALL
 action allow
!
firewall 16
 from LAN2
 action allow
!
firewall 17
 from DMZ
 to WAN
 action allow
!
firewall 18
 from WLAN
 to WAN
 action allow
!
firewall 19
 from IPSec_VPN
 action allow
!
firewall 20
 from SSL_VPN
 action allow
!
firewall 21
 from TUNNEL
 action allow
!
firewall 22
 from LAN1
 to ZyWALL
 action allow
!
firewall 23
 from LAN2
 to ZyWALL
 action allow
!
firewall 24
 from DMZ
 to ZyWALL
 action allow
 service Default_Allow_DMZ_To_ZyWALL
!
firewall 25
 from WLAN
 to ZyWALL
 service Default_Allow_WLAN_To_ZyWALL
 action allow
!
firewall 26
 from WAN
 to ZyWALL
 service WanToZywall
 action allow
!
firewall 27
 from IPSec_VPN
 to ZyWALL
 action allow
!
firewall 28
 from SSL_VPN
 to ZyWALL
 action allow
!
firewall 29
 from TUNNEL
 to ZyWALL
 action allow
!
firewall asymmetrical-route activate
!
firewall default-rule action deny log
!
firewall6 1
 to ZyWALL
 service Default_Allow_v6_any_to_ZyWALL
 action allow
!
firewall6 2
 from LAN1
 action allow
!
firewall6 3
 from LAN2
 action allow
!
firewall6 4
 from DMZ
 to WAN
 action allow
!
firewall6 5
 from WLAN
 to WAN
 action allow
!
firewall6 6
 from IPSec_VPN
 action allow
!
firewall6 7
 from SSL_VPN
 action allow
!
firewall6 8
 from TUNNEL
 action allow
!
firewall6 9
 from LAN1
 to ZyWALL
 action allow
!
firewall6 10
 from LAN2
 to ZyWALL
 action allow
!
firewall6 11
 from DMZ
 to ZyWALL
 service Default_Allow_v6_DMZ_To_ZyWALL
 action allow
!
firewall6 12
 from WLAN
 to ZyWALL
 service Default_Allow_v6_WLAN_To_ZyWALL
 action allow
!
firewall6 13
 from WAN
 to ZyWALL
 service Default_Allow_v6_WAN_To_ZyWALL
 action allow
!
firewall6 14
 from IPSec_VPN
 to ZyWALL
 action allow
!
firewall6 15
 from SSL_VPN
 to ZyWALL
 action allow
!
firewall6 16
 from TUNNEL
 to ZyWALL
 action allow
!
firewall6 default-rule action deny log
 


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by mudtoe:

I've fixed the problem ...

Good to hear

mudtoe

join:2005-10-09
Cincinnati, OH

I guess as I noted above, I should say circumvented. I moved rule 6 before rule 3 and it works, but rule 3 shouldn't be going off IMHO for traffic that originates in LAN1.


gb5102

join:2003-10-07
Saint Paul, MN
kudos:2

yeah that makes absolutely no sense...kinda scary IMO...at least its erring on the safe side I guess

In your above config, your lan1 interface is not listed under 'zone IPSec_VPN', so SMTP traffic from lan1 interface definitely should not be affected by any firewall rule covering IPSec_VPN zone to WAN zone...

I've been testing every which way on a 110 with fw 3.10(AAA.2) but I can't seem to reproduce this behavior. If I set any kind of block rule for traffic from IPSec_VPN zone to WAN zone for example, its not affecting traffic coming from interfaces which are assigned to any other zone.(also verified traffic is blocked that should be blocked...)

Out of curiosity, what FW version are you running? And hopefully not too stupid of a question, but have you checked if a reboot will 'un-confuse' your 110?


mudtoe

join:2005-10-09
Cincinnati, OH

I'm wondering if it's because I have asymmetrical routes enabled. I have multiple subnets in one of my VPNs and a VM in the VPN subnet isn't good about returning packets to the same interface they came in on, so I've had to enable that until I can fix it. Off hand I'm not sure why that would be the case, as it should only affect packets in the same zone (i.e. in previous Zywalls it warned you that enabling asymmetrical routes would disable all firewall checks for packets that stayed in the same zone), but that could be the difference. I haven't had a chance to setup a test where I turn that off temporarily and then put the rules back the way they were to see if anything is different.


mudtoe

join:2005-10-09
Cincinnati, OH

I've found something else out that's interesting and potentially bad if you aren't careful about the firewall rules. You need to be careful what browser you are using when moving firewall rules from one priority to another. I was using Chrome and had the Z 110 page opened under it's IE add-on, expecting to use the IE browser engine. When I tried moving a rule from one priority to another it was picking an adjacent rule to the one I had selected to move. At first I couldn't figure out what was happening, but after some more tries I saw the pattern. When I opened the page under the real IE, this problem didn't happen.

The moral of the story is that if you are moving rules under a browser other than native IE, even if you are using an IE plugin under Firefox (don't do it with the Chrome IE plugin because I know that doesn't work), you had best look very carefully to make sure that it did what you thought it was going to do. It would have been much better if they had simply allowed you to type in the start and end location like you do in the console command, because that way the web page script wouldn't have to figure out what rule number was selected and turn it into an integer. I've also found that if you try this from a filtered rule list (i.e. anything other showing all rules), it often doesn't work, I'm assuming because the web page script only sees the filtered rules and therefore can't properly calculate the actual rule number you selected.