Weird stuff

Murus
Post Reply
ChiellieNL
Posts: 1
Joined: Thu Jun 04, 2015 9:15 pm

Weird stuff

Post by ChiellieNL » Thu Jun 04, 2015 9:48 pm

Hi,

I've bought Murus Firewall Pro recently to protect my OS X Server.
Though I love the interface and idea behind it, after using and calibrating it for a couple of days, I can't say I'm feeling confidence by it.

I started with the "Novice - Firewall Wizard" strategy. Used the inclusive inbound and exclusive outbound.
All servers like email and web were set to open for all, while other services like AFP, VNC, and so were only open to my LAN.
Sounds pretty ok.. However even my own lan addresses were sometimes denied to contact my mailserver (which is open to everyone). 90% they will pass, but 10% they got blocked for no explicable reason.

Yesterday, I even had a whole day of mail backlog, cause it seemed the firewall was blocking all incoming connections to the SMTP server. I've also bought the Log Visualiser (and logged both passed as blocked access), but it didn't show any blocked access to any ports of the mailserver (25, 143, 587, 993).
I've got warned by someone who said to have mailed me some mails I didn't received.. Then I shut down the firewall and the mailserver spent about half an hour receiving dozens of mails that got rejected.

So today I decided to start all over again. Did the same wizard, however this time both inbound as outbound were set as exclusive. Blocked the system ports on the first line, allowing only LAN and open system ports for email, web, etc after that one to everyone.
However, my own LAN addresses still got blocked for port 993 now and then (same as before: mostly they pass, now and then they got blocked for some reason)
Also other dynamic ports (above 49152) are being blocked for IP addresses from Apple themselves for no explicable reason.

Looking at the logs, they all got blocked by rule 12.0 (BLOCK_V4) and it looks like this rule is treated as a 'quick' rule, since the pass rules afterwards aren't even reached..
Since I've restarted today as exclusive, I din't even expected that rule to be there..

Besides the inbound, also some outbound traffic towards Apple servers are being blocked while outbound has also been set to exclusive and the last line of the config reads "pass out proto {tcp, up} from any to any port {1:65535}"

Also manually created a 'last rule' for passing all inbound connections from my LAN addresses to port 1:65535, but that didn't help either.. still blocked by rule 12 (BLOCK_V4)

So euhm.. like the title of this topic states: some weird stuff is going on here.. especially the fact that it mostly seems to work, but frequently suddenly it won't, for no explicable reason.
Like I said, I truly like this tool, but I'm starting to loose confidence in it.

Sure, it can be something I did wrong.. but following the basic setup and just defined access levels to specific ports doesn't seem that hard to do (on my Linux servers I always handled this by IP Tables through Webmin, which is basically the same idea).

So I'm a bit stuck here.. anyone able to explain what's going wrong?

hany
Posts: 479
Joined: Wed Dec 10, 2014 5:20 pm

Re: Weird stuff

Post by hany » Tue Jun 09, 2015 5:22 pm

well... it's not really easy to troubleshoot such issue. I never experienced it.
Looking at the logs, they all got blocked by rule 12.0 (BLOCK_V4) and it looks like this rule is treated as a 'quick' rule, since the pass rules afterwards aren't even reached..
Since I've restarted today as exclusive, I din't even expected that rule to be there..
PF configurations installed by Murus are inclusive by design. Inclusivity/Exclusivity is managed into Murus iterface with the ALL SERVICES meta service. Rules created by the ALL SERVICES service override the default block rule. So this rule is there all the time, but should you choose and exclusive approach, a new rule will win over it.
So euhm.. like the title of this topic states: some weird stuff is going on here.. especially the fact that it mostly seems to work, but frequently suddenly it won't, for no explicable reason.
As I said it is hard for me to help you, unless you do some tests. Look, I think the best thing to do is to simplify the ruleset using a totally custom ruleset. Choose the second expert strategy then open the configuration view and add a custom rule to pass your inbound connections (mail and so on). The ruleset will be very short and very easy to debug. To pass all outbound connections you can issue a custom manual rule like this:

Code: Select all

pass out
For some specific service (like email) you may also try to pass traffic using static filtering. You can do this using custom rules or selecting the corresponding option in managed services.

Post Reply