Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I was playing with crowdsec, and noticed that things that were alerted as being "bounced" were still hitting internal services, causing them to still alert, even when there was a firewall rule in place. I have verified the traffic is still getting to the internal service by looking at the logs on the internal service, and by logging "rdr" rules in the firewall.
I've taken the troubleshooting as far as I can, but I think the issue can best be described as in the title: an incoming IPv4 NAT packet bypass the BLOCK rules that should apply first
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
- port forward IPv4 ports from WAN to some internal host
- create an alias of either IPs or subnets. (does not need to be crowdsec)
- create an IN rule to block traffic from that alias on the WAN nic
- traffic still flows to internal services
Expected behavior
traffic should be BLOCKed instead of NATed
Describe alternatives you considered
Initially I thought it was crowdsec bug. I made a new inbound rule (with logging) on WAN interface duplicating the function of the built-in crowdsec rule. This did not change the outcome.
I tried a Floating "in" rule with all interfaces, pointing to the crowdsec_blacklists alias. No change.
I duplicated the crowdsec alias table and converted it into /24 subnets, no change.
I tried an "out" rule on the internal interface with source being the crowdsec alias, this does work.
Some traffic does get caught by the rules on the "in" side of interfaces, but that is all traffic that would have hit the default deny rule anyway (no port open, no NAT in place)
I have verified the IP addresses I want blocked are indeed in the alias tables with "pfctl -t tableName -T show"
In addition to the crowdsec rules, I also have a GeoIP rule called "ActiveWarZones" which contains countries that are currently active warzones. While preparing the information for this bug report, I noticed it only seemed to be triggering for IPv6 addresses, and not for IPv4 addresses.
I made matching "out" rules on my internal interfaces, and can confirm that traffic that has been touched by a NAT rule does not seem to apply BLOCK rules.
Screenshots
notes:
"Internode" is my WAN interface
"LAB" is a VLAN on an internal interface.
"LAN" is that same internal interface, with no VLAN.
Firewall log showing the NAT rule forwarding traffic, and the "out" rule actually stopping the traffic:
Firewall log showing inconsistent behavior of inbound drop, as well as an RDR taking place and being dropped on the "out" side of the internal interface:
More notes about this screenshot:
"CrowdSec (IPv4)" is the default crowdsec rule, with the crowdsec alias. (on WAN in)
"DROP: Crowdsec Blacklist IPv4" is a rule made from the duplicated crowdsec alias with /24 subnets (on WAN in)
"BLOCK: Crowdsec to LAB" is the rule on the out side of the internal interface, this is using the default crowdsec alias. (on LAB out)
Firewall log screenshot showing "ActiveWarZones" traffic being blocked on the outbound side of the internal interfaces for NAT'd traffic. this particular traffic is being NAT'd via upnp to a bittorrent client to generate some traffic, so how the NAT rule comes to exists does not seem to make any difference either.
Firewall log
These logs do not match any of the screenshots, but demonstrate a RDR being done, and then a BLOCK OUT on an internal NIC.
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,30697,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,3699,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,2282,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,63881,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,33945,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,49256,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
If applicable, information from log files supporting your claim.
Additional context
Add any other context about the problem here.
I have updated all software as of last 17/05/2023
I have rebooted.
Software version used and hardware type if relevant, e.g.:
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
Hardware: PCEngines apu4d4
AMD GX-412TC SOC (4 cores, 4 threads)
4x Intel i211AT
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I was playing with crowdsec, and noticed that things that were alerted as being "bounced" were still hitting internal services, causing them to still alert, even when there was a firewall rule in place. I have verified the traffic is still getting to the internal service by looking at the logs on the internal service, and by logging "rdr" rules in the firewall.
I've taken the troubleshooting as far as I can, but I think the issue can best be described as in the title: an incoming IPv4 NAT packet bypass the BLOCK rules that should apply first
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
traffic should be BLOCKed instead of NATed
Describe alternatives you considered
Initially I thought it was crowdsec bug. I made a new inbound rule (with logging) on WAN interface duplicating the function of the built-in crowdsec rule. This did not change the outcome.
I tried a Floating "in" rule with all interfaces, pointing to the crowdsec_blacklists alias. No change.
I duplicated the crowdsec alias table and converted it into /24 subnets, no change.
I tried an "out" rule on the internal interface with source being the crowdsec alias, this does work.
Some traffic does get caught by the rules on the "in" side of interfaces, but that is all traffic that would have hit the default deny rule anyway (no port open, no NAT in place)
I have verified the IP addresses I want blocked are indeed in the alias tables with "pfctl -t tableName -T show"
In addition to the crowdsec rules, I also have a GeoIP rule called "ActiveWarZones" which contains countries that are currently active warzones. While preparing the information for this bug report, I noticed it only seemed to be triggering for IPv6 addresses, and not for IPv4 addresses.
I made matching "out" rules on my internal interfaces, and can confirm that traffic that has been touched by a NAT rule does not seem to apply BLOCK rules.
Screenshots
notes:
"Internode" is my WAN interface
"LAB" is a VLAN on an internal interface.
"LAN" is that same internal interface, with no VLAN.
Firewall log showing the NAT rule forwarding traffic, and the "out" rule actually stopping the traffic:
Firewall log showing inconsistent behavior of inbound drop, as well as an RDR taking place and being dropped on the "out" side of the internal interface:
More notes about this screenshot:
"CrowdSec (IPv4)" is the default crowdsec rule, with the crowdsec alias. (on WAN in)
"DROP: Crowdsec Blacklist IPv4" is a rule made from the duplicated crowdsec alias with /24 subnets (on WAN in)
"BLOCK: Crowdsec to LAB" is the rule on the out side of the internal interface, this is using the default crowdsec alias. (on LAB out)
Firewall log screenshot showing "ActiveWarZones" traffic being blocked on the outbound side of the internal interfaces for NAT'd traffic. this particular traffic is being NAT'd via upnp to a bittorrent client to generate some traffic, so how the NAT rule comes to exists does not seem to make any difference either.
Firewall log
These logs do not match any of the screenshots, but demonstrate a RDR being done, and then a BLOCK OUT on an internal NIC.
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,30697,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,3699,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,2282,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,63881,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
165,,,e3aa523215a8e08179a93493f4e133bd,igb1,match,block,out,4,0x0,,36,33945,0,none,17,udp,86,77.138.73.25,10.1.1.12,1024,61597,66
1,,,0,pppoe0,match,rdr,in,4,0x0,,37,49256,0,none,17,udp,86,77.138.73.25,59.167.177.52,1024,61597,66
If applicable, information from log files supporting your claim.
Additional context
Add any other context about the problem here.
I have updated all software as of last 17/05/2023
I have rebooted.
Software version used and hardware type if relevant, e.g.:
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
Hardware: PCEngines apu4d4
AMD GX-412TC SOC (4 cores, 4 threads)
4x Intel i211AT