Page 2 of 2
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Wed May 19, 2021 10:34 am
by zathred
Thanks for the update.
To demonstrate that external DNS port 53 packets are entering the router and being forwarded to ISI I added the a rule to the top of the FILTER table FORWARD chain to record these packets in the router log:
iptables -t filter -I FORWARD -p udp -d 128.9.0.107/16 --dport 53 -j LOG --log-prefix "PortForward -> "
An example log entry is shown below which shows an external IP address sending unsolicited packets to port 53 on the WAN interface of my 8800AXL R2, these packets being DNAT'ed to the ISI address and then forwarded as would be expected given the firmware iptables configuration
May 19 09:57:51 <redacted>.home kernel: PortForward -> SPT=10802 DPT=53 LEN=36 UDP packet from [ptm0.1] 88.80.186.137:10802 to 128.9.0.107:53
I have to say that as the IPTABLES mechanism provides the stateful firewall security for the router that prevents unauthorised external access it is unsettling that the HQ engineers do not seem to understand that they have created an open port and a vector by which a DoS attack might be performed against the router. The fact that the INPUT and FORWARD chains default to ACCEPT is also bad practice as they should DROP all packets by default and subsequent rules should ALLOW only selected packets required for correct operation.
Regards
Gary
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Thu May 20, 2021 9:15 am
by billion_fan
zathred wrote: ↑Wed May 19, 2021 10:34 am
Thanks for the update.
To demonstrate that external DNS port 53 packets are entering the router and being forwarded to ISI I added the a rule to the top of the FILTER table FORWARD chain to record these packets in the router log:
iptables -t filter -I FORWARD -p udp -d 128.9.0.107/16 --dport 53 -j LOG --log-prefix "PortForward -> "
An example log entry is shown below which shows an external IP address sending unsolicited packets to port 53 on the WAN interface of my 8800AXL R2, these packets being DNAT'ed to the ISI address and then forwarded as would be expected given the firmware iptables configuration
May 19 09:57:51 <redacted>.home kernel: PortForward -> SPT=10802 DPT=53 LEN=36 UDP packet from [ptm0.1] 88.80.186.137:10802 to 128.9.0.107:53
I have to say that as the IPTABLES mechanism provides the stateful firewall security for the router that prevents unauthorised external access it is unsettling that the HQ engineers do not seem to understand that they have created an open port and a vector by which a DoS attack might be performed against the router. The fact that the INPUT and FORWARD chains default to ACCEPT is also bad practice as they should DROP all packets by default and subsequent rules should ALLOW only selected packets required for correct operation.
Regards
Gary
Billion will fix the issue by removing that rule from iptables in the next Official Firmware release.
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Mon May 24, 2021 9:41 am
by zathred
Thank you for confirming an updated firmware will be made available to address this issue. I have just successfully updated the 8800AXL R2 to the recently released 2.52.D17 firmware and look forward to the release of the future update with the fix as discussed.
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Fri Aug 27, 2021 10:26 am
by ElderScroll1985
Hello.
Are there any updates on this? I can see that this has been posted about 3 months ago which is crazy to me that I don't see an update fixing this issue yet as it does seem like a major one. When can we have a new firmware please?
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Fri Aug 27, 2021 12:14 pm
by billion_fan
ElderScroll1985 wrote: ↑Fri Aug 27, 2021 10:26 am
Hello.
Are there any updates on this? I can see that this has been posted about 3 months ago which is crazy to me that I don't see an update fixing this issue yet as it does seem like a major one. When can we have a new firmware please?
Attached is a firmware that removes the DNAT rule
FW Release Note :
1. “Enhance Firewall Rule”.
2. “Change HTTP Session timeout to 10 minutes”.
3. “Fixed config error in <Configure log page> issue”.
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Fri Aug 27, 2021 12:29 pm
by ElderScroll1985
Perfect, thank you!
Out of curiosity, is there a reason this firmware is not officially published on the website yet?
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Fri Aug 27, 2021 12:44 pm
by billion_fan
ElderScroll1985 wrote: ↑Fri Aug 27, 2021 12:29 pm
Perfect, thank you!
Out of curiosity, is there a reason this firmware is not officially published on the website yet?
Only just received it today, I normally post the firmware here first before official release on our web site
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Tue Sep 07, 2021 10:42 am
by zathred
Thanks for posting the D18 firmware on this thread.
It feels like we are beta testers at present given it's only available via this thread. I am reluctant to install it until it is formally released on the support site
https://support.billion.uk.com/ as we are working from home and cannot afford to have downtime from any issues that it might create.
Do you know when it will be formally released as a public update?
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Tue Sep 07, 2021 12:45 pm
by billion_fan
zathred wrote: ↑Tue Sep 07, 2021 10:42 am
Thanks for posting the D18 firmware on this thread.
It feels like we are beta testers at present given it's only available via this thread. I am reluctant to install it until it is formally released on the support site
https://support.billion.uk.com/ as we are working from home and cannot afford to have downtime from any issues that it might create.
Do you know when it will be formally released as a public update?
Hopefully the firmware will be released next week.
Update, firmware can be found here on our official support site
https://support.billion.uk.com/index.ph ... are-252d18
Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party
Posted: Fri Sep 17, 2021 1:07 pm
by zathred
I've installed the D18 firmware on my 8800AXL R2 and can confirm that this update has addressed the open DNS port forwarding issue. All other functions of the router appear to be functional and stable. Thank you for addressing this issue.