What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Firewall URL filter bypassed by guest networks with disabled intranet access

C

Climber

Occasional Visitor
RT-AX86U on Merlin 3004.388.9_2
Guest networks with intranet access disabled seem to bypass the firewall URL filter.
On the main network the blocking works fine.
If I enable the intranet access on the guest network the blocking works fine too.
I used the GUI to add the URLs and they show up under the INPUT and FORWARD chains of iptables. So, that would mean all those rules are probably bypassed too.
Test is DNS lookup and pinging.
I disabled my own custom firewall scripts, but didn't make a difference.

I have just upgraded from 3004.388.8_4 to 9_2, but wasn't using the URL block then, so can't say if it's due to the upgrade. Haven't updated AMTM yet.
Tried searching on SNB.
Before I try a downgrade I was curious to see if someone else knows about this.

Cheers,
Peter
 
Which Guest Networks? The first Guest Network of each band behaves differently than the other 2. What did the INPUT and FORWARD rules look like, specifically? Were they only for br0 interface? Is your guest network using an interface other than br0?
 
It was on Guest Network #1. I know #1 behaves different and gets a separate bridge and subnet. Since I used the 5GHz it goes to br2.
However, I didn't think that would have been a reason to bypass an outgoing firewall.
I did some more testing and GN #3 doesn't have this problem, so it seems that only br0 goes through the URL filter and br1 and br2 bypass it.
The first several lines of the associated iptables chains are below and contain the URL filter. Only have www.yahoo.com and obihai in there.
The rules don't seem explicitly linked to only br0.

Wondering if it is related to ebtables.

I don't want to use a different GN since I use br2 to also isolate some of the ethernet ports from the rest of the network. I move them from br0 to br2 and they become part of that GN.


Code: 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --  anywhere             anywhere             icmp echo-request
DROP       udp  --  anywhere             AX86U.secnet         udp dpt:domain STRING match  "obihai" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             AX86U.secnet         udp dpt:domain STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
REJECT     tcp  --  anywhere             anywhere            WEBSTR match url www.yahoo.com  reject-with tcp-reset
DROP       udp  --  anywhere             anywhere             udp dpt:domain STRING match  "obihai" ALGO name bm TO 65535 ICASE
REJECT     tcp  --  anywhere             anywhere            WEBSTR match url obihai  reject-with tcp-reset
DROP       udp  --  anywhere             anywhere             udp dpt:1701
DROP       gre  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:1723
IPSEC_DROP_SUBNET_ICMP  all  --  anywhere             anywhere
IPSEC_STRONGSWAN  all  --  anywhere             anywhere
 
Use the command iptables -nvL to show the interface columns.
 
Ah, I was not aware of there being hidden information. Thank you very much.
That shows exactly why.
TCP is rejected for all interfaces, but UDP to DNS port 53 only from br0. Which explains why DNS lookup and Ping are getting through from br2.
Anybody know why it's only blocking DNS for br0 and why basically only webpage access or is this simply seen as one of the ASUS quirks for GN#1?
Since it is a DNS rebind attack from a device to a no longer existing domain that I'm trying to prevent, I can just have the custom firewall script modify these rules to all interfaces.

Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  970 1016K INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            192.168.50.1         udp dpt:53 STRING match  "obihai" ALGO name bm TO 65535 ICASE
   10   590 DROP       udp  --  br0    *       0.0.0.0/0            192.168.50.1         udp dpt:53 STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
 753K  194M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 1438 58274 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
1241K  320M PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
 219K   37M PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
 
 
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 STRING match  "|057961686f6f03636f6d|" ALGO name bm TO 65535 ICASE
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url www.yahoo.com  reject-with tcp-reset
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 STRING match  "obihai" ALGO name bm TO 65535 ICASE
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           WEBSTR match url obihai  reject-with tcp-reset
    0     0 DROP       udp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            udp dpt:1701
    0     0 DROP       47   --  br0    eth0    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  br0    eth0    0.0.0.0/0            0.0.0.0/0            tcp dpt:1723
 
You must log in or register to reply here.

Similar threads

gil80
No internet access on guest network
Replies
10
Views
454
gil80
gil80
FernandoF
Guest Network Pro using the same subnet - Replicating behavior from previous firmware
Replies
7
Views
755
FernandoF
FernandoF
T
GT BE98 Pro Guest Network Cannot Disable Intranet Access
Replies
3
Views
1K
bennor
B
poolbeetse7en
YazFi Using 2 Guest Networks with Yazfi and Disabling Intranet for Access Points
Replies
4
Views
592
poolbeetse7en
poolbeetse7en
D
Guest network with intranet access v. using the main network
Replies
4
Views
2K
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
S Firewall rule to block firmware updates Asuswrt-Merlin 5
D Entware [AX86U Merlin 3004.388.9_2] Disabling Firewall in WebUI allows Transmission to open the famous closed port, but WebUI Port Forwarding does not. Asuswrt-Merlin 1
R ipv6 / firewall on ax86u pro (on latest Merlin) Asuswrt-Merlin 6
B BE88U Firewall port forwarding set in GUI not working. Anyone else? Asuswrt-Merlin 2
W Whitelisting VoIP IP addresses Firewall Asuswrt-Merlin 0
adri Firewall, Port Forwarding, and DoS Question Asuswrt-Merlin 8
Z Dual WAN + Dual Firewall Asuswrt-Merlin 11
K Asus router as adblock/firewall server (but not acting as a router) between modem and mesh routers Asuswrt-Merlin 7
M URL block List Asuswrt-Merlin 5
L Login URL to pass User and Password directly in the url link Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 777 (members: 25, guests: 752)
Back
Top