Allow access to port 9200 locally

Started by dnll, September 10, 2024, 09:18:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 10, 2024, 09:18:29 AM
Hey y'all,
I use Zenarmor with the ElasticSearch database on OPNsense and want to monitor that database from another host on my local network. I noticed however that the connections to OPNsense on port 9200 are blocked. So I created this rule:


When I test locally on OPNsense, no problem as expected (no rule needed):
Code Select

root@router01:~ # telnet 127.0.0.1 9200
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.


However, when trying from 10.1.1.21, the telnet never connects. Am I missing something obvious here? The 10.1.1.0/24 subnet is in the LOCAL group.
September 10, 2024, 09:35:31 AM #1 Last Edit: September 12, 2024, 08:37:38 PM by meyergru
The database seems to be bound to IP 127.0.0.1 for security reasons. This way, it is not accessible from outside the host itself. You would have to make it bind to 0.0.0.0 instead, but IDK if you can tweak the configuration.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
September 10, 2024, 09:37:01 AM #2
You need a port forward to 127.0.0.1:9200 on the interface where the monitoring host is, not an allow rule on localhost.
September 12, 2024, 02:13:19 AM #3
Quote from: doktornotor on September 10, 2024, 09:37:01 AM
You need a port forward to 127.0.0.1:9200 on the interface where the monitoring host is, not an allow rule on localhost.
Unsure why I would need any port forwarding here, I'm connecting directly to the OPNsense box on the correct port.

Quote from: meyergru on September 10, 2024, 09:35:31 AM
The database seems to be bound to IP 127.0.0.1 for security reasons. This way, it is not accessible from outside the host itself. You would have to make it bind to 0.0.0.0 instead, but IDK if you can teak the configuration.
That actually makes a lot of sense, I'll keep digging.
September 12, 2024, 02:25:17 AM #4
Quote from: meyergru on September 10, 2024, 09:35:31 AM
The database seems to be bound to IP 127.0.0.1 for security reasons. This way, it is not accessible from outside the host itself. You would have to make it bind to 0.0.0.0 instead, but IDK if you can teak the configuration.
Solution was to add network.host: 0.0.0.0 to /usr/local/etc/elasticsearch/elasticsearch.yml. Haven't tested yet if this persists reboots/updates/etc but that will do for now, I will come back here and comment if I need to do anything else to make it persist.
September 12, 2024, 03:37:02 AM #5 Last Edit: September 12, 2024, 04:24:32 AM by doktornotor
Quote from: dnll on September 12, 2024, 02:13:19 AM
Quote from: doktornotor on September 10, 2024, 09:37:01 AM
You need a port forward to 127.0.0.1:9200 on the interface where the monitoring host is, not an allow rule on localhost.
Unsure why I would need any port forwarding here, I'm connecting directly to the OPNsense box on the correct port.

Because the packets are not arriving on localhost (loopback) interface at all, as you have observed.

Quote from: dnll on September 10, 2024, 09:18:29 AM
However, when trying from 10.1.1.21, the telnet never connects. Am I missing something obvious here? The 10.1.1.0/24 subnet is in the LOCAL group.

P.S. Making ES listen on wildcard is... crazy. Would really suggest to undo that and do the simple port forward. This post has a proper example of such NAT rule to make services that listen only on loopback accessible over LAN to chosen hosts.  Use 10.1.1.21 for source and 9200 for destination and redirect target ports.
September 12, 2024, 05:44:03 AM #6
Quote from: doktornotor on September 12, 2024, 03:37:02 AM
Quote from: dnll on September 12, 2024, 02:13:19 AM
Quote from: doktornotor on September 10, 2024, 09:37:01 AM
You need a port forward to 127.0.0.1:9200 on the interface where the monitoring host is, not an allow rule on localhost.
Unsure why I would need any port forwarding here, I'm connecting directly to the OPNsense box on the correct port.

Because the packets are not arriving on localhost (loopback) interface at all, as you have observed.

Quote from: dnll on September 10, 2024, 09:18:29 AM
However, when trying from 10.1.1.21, the telnet never connects. Am I missing something obvious here? The 10.1.1.0/24 subnet is in the LOCAL group.

P.S. Making ES listen on wildcard is... crazy. Would really suggest to undo that and do the simple port forward. This post has a proper example of such NAT rule to make services that listen only on loopback accessible over LAN to chosen hosts.  Use 10.1.1.21 for source and 9200 for destination and redirect target ports.
Ha, this makes a lot of sense. I disabled the network.host option in the yml configuration file (basically putting it back like it was by default) and created this NAT rule:

And I can confirm it now works through the loopback interface. I used the "This Firewall" option as destination, unsure if it makes any difference or not compared to the other possibilities and/or if there are better practices in that regard.

Either way, it's certainly more secured than having ElasticSearch listening to everything (or even just the whole local network). I guess it's more or less similar as if I had ElasticSearch listening specifically to my source, but having the configuration centralized within the firewall without having to edit any configuration whatsoever is just cleaner overall.
Print
Go Up Pages1
User actions