ADM Defender is Fundamentally Broken?

Post Reply
mikhail_d
Posts: 1
youtube meble na wymiar Warszawa
Joined: Wed Dec 23, 2020 12:47 pm

ADM Defender is Fundamentally Broken?

Post by mikhail_d »

ADM defender (the firewall tool in the web portal) uses iptables to do the firewall. The interface in the web portal doesn't allow you to specify the destination ipaddress/range, only the source. This means we can't block inputs based on the destination. Also, when you set the mode to "Deny all", the interface can only create "ALLOW" rules. It cannot create "DENY" rules and doesn't let you order the rules. Allow me to explain:

To secure your firewall, you want to "Deny all traffic" by default and only open some ports. You want to create an exemption for web portal on port 8000 so you open up that port. ADM defender will create rules like

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
...
ACCEPT     all  --  localhost            anywhere               8000,8001
...
DROP       all  --  anywhere             anywhere
Notice that the destination is anywhere and we cannot change it via the interface.

Now, if you are running docker (a very useful feature), you might want to run a container that also listens on port 8000 (e.g. portainer). You'll run this in bridge mode with it bound to port 19800. Under the hood docker will create two nat rules for you

Code: Select all

DNAT       tcp  --  anywhere             anywhere             tcp dpt:19800 to:172.17.0.2:8000
The DNAT rule will route the incoming connection on 19800 to 172.17.0.2:8000, which is normal. But then comes the issue. As we have seen with the earlier filter rule, all traffic on port 8000 is allowed, regardless of destination. Portainer is reachable and IFAIK, there is no way for me to block it.

Is there a way around this? Lots of containers like to use port 8000 and it would be nice to only open up the port the web portal on not the underlying container. Ideally, we can set the destination IP so that we can lock it down. I would like to create a VPN server on my NAS and open it up to the internet but I cannot control which docker containers are locked to just non-VPN LAN access.
Top
Post Reply

Return to “ADM general”