Show Posts
1
General Discussion / ESTABLISHED,RELATED - How to block NEW ?
« on: November 20, 2024, 06:27:55 pm »
Dear all,
I am using a MikroTik OpenVPN client which connects to an OPNSense OpenVPN server.
I have a PC named "A" on the client network and a PC named "B" on the server network.
I want B to be able to dialog with A, but I want to block all traffic from A to B that is initiated by A.
That was easy to do with iptables :
- traffic A->B initiated by B was catched by "--state RELATED,ESTABLISHED -j ACCEPT"
- traffic A->B initiated by A was catched by "--state NEW -j DROP"
I read on the different posts that with OPNSense it is actually default behaviour that when B is authorized to A, A can reply to B, and I could test it works well.
However, my issue is the following when one does step by step :
1. first, A pings B : there is no answer - correct
2. second, B pings A : it works - correct
3. but now, if A pings B, A gets replies - NOT CORRECT
Actually what happens is obviously the following :
- step 1 : there is no rule to accept traffic from A to B so there is no reply
- step 2 : there is a rule to accept traffic from B to A, so as default OPNSense tracks the state of the connexion and replies from A are accepted back to B
- step 3 : when, at that point, A initiates traffic to B, OPNSense uses the previous state of the connexion at step 2 and it accepts the traffic !
So, in case there is regular communication from B to A, an attacker could suddenly usurpate the IP address of A to attack B through the firewall.
How can one definitely block traffic from A to B that is initiated by A ?
I am using a MikroTik OpenVPN client which connects to an OPNSense OpenVPN server.
I have a PC named "A" on the client network and a PC named "B" on the server network.
I want B to be able to dialog with A, but I want to block all traffic from A to B that is initiated by A.
That was easy to do with iptables :
- traffic A->B initiated by B was catched by "--state RELATED,ESTABLISHED -j ACCEPT"
- traffic A->B initiated by A was catched by "--state NEW -j DROP"
I read on the different posts that with OPNSense it is actually default behaviour that when B is authorized to A, A can reply to B, and I could test it works well.
However, my issue is the following when one does step by step :
1. first, A pings B : there is no answer - correct
2. second, B pings A : it works - correct
3. but now, if A pings B, A gets replies - NOT CORRECT
Actually what happens is obviously the following :
- step 1 : there is no rule to accept traffic from A to B so there is no reply
- step 2 : there is a rule to accept traffic from B to A, so as default OPNSense tracks the state of the connexion and replies from A are accepted back to B
- step 3 : when, at that point, A initiates traffic to B, OPNSense uses the previous state of the connexion at step 2 and it accepts the traffic !
So, in case there is regular communication from B to A, an attacker could suddenly usurpate the IP address of A to attack B through the firewall.
How can one definitely block traffic from A to B that is initiated by A ?