New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I read the Hetzner documentation (pointed out by @Falzo) and re-"saw" your screenshot and I think I understood a bit more now :-)
Your rules (#6-#10) are allowing all incoming traffic and that's why things are working. If you change (any of rules 6-10) to drop instead of accept, you'll start to see problems (check if DNS works or pings work after changing to drop)
And if Hetzner only allows 10 rules, you'll have to carefully allow only those incoming traffic rules you want (and then add a default for TCP connections + UDP + ICMP).
See: https://www.hetzner.de/images/content/about/screen_firewall_en.gif for the blanket ICMP rule and the tcp established rule.
I really am not clear how UDP (DNS) is working per their rules and it may well be worth raising a support request (assuming such a thing exists for the firewall).
What you really need:
incoming RDP + FTP + ICMP + UDP (DNS+NTP only?) + TCP [established traffic]. I think these can be done as follows (again test+confirm please)
(for all the below rules either explicilty qualify your destination IP or leave as blank if that works only for your IP per Hetzner rules).
The above rules should do the trick.
One thing to beware of though [with rule #6] is you may lock yourself out - so try to have a rule inbetween 5 and 6 (temporarily) that allows your source IP for all types of traffic (as a failsafe). Also note that the above rules do NOT block any UDP traffic by default - not sure how "safe" this is with Windows but explicitly allowing UDP source port 53 and source port 123 (NTP) should I think be enough.
Hope this helps. What is very straightforward and easy with Linux/IPtables becomes a bear of a thing with this sort of stateless setup where you have to anticipate everything (on top of having to deal with Windows inanities)
Phew.
have a look at the picture you just posted. there is a checkbox above the list rules which allows all hetzner services to connect to the server regardless of the firewall rules, so I'd say if @mykhen uses dhcp and therefore hetzner dns server it might be the reason for this to just work ;-)
otherwise they might have hardcoded allowing rules for DNS which are not listed, but probably you could disallow incoming request for that with own rules...
I suspect it is the allow-all rules (#6-#10) that are doing the magic (because even ICMP is working and that shouldn't happen by default). Anyway it's a quick test to confirm so hopefully @mykhen will be able to verify.
more likely different destination IPs on the same server - as he said above, guest VMs :-) that should not interfere with the main IP, as it won't match ^^
@nullnothere my rules #6 - 10 is to other IP's I have on that server. Running several VMs on that server and the Firewall sadly applies to all IP and not just my main IP. So they are not pointed to my main IP at all. Web browsing do not work if I take away rule number 2
@Falzo and @myhken - my bad - I didn't realize on the VM IPs.
So then maybe as @Falzo says, ICMP and DNS are allowed from Hetzner's network and so things are working.
Since you're using windows, you can test with nslookup:
nslookup
> server 8.8.8.8> google.com[do you get an answer?]
If you do, then DNS is working (how? I have no clue - please seek clarification from Hetzner and share!).
I really am at a loss to explain what else the Firewall is doing (mysteriously).
Except that for now myhken is happy as things are working for him.
Nmap reports any leaks?
(edited formatting)
You are 100% right. If I change my DNS servers to 8.8.8.8/8.8.4.4 I can't browse on internet. By default my IPv4 setup is getting all automatically from Hetzner. Not using static IP and such.
What is the best way to run it? Scanning localhost inside the server is showing all the same "old" ports open. Can I scan the IP inside my server, or from outside?
Run nmap from another of your servers (at a different location preferably) against both your Main IP and one of your guest VMs IP and see what it shows.
I suspect Hetzner is also providing a NTP server from their network (via DHCP options) which is allowing your machines to keep (sane) time.
I wonder why the 10 rule limit (makes it very inconvenient for VMs).
Yea, I know. In fact, I have one IP that I can't get in the firewall. Only a IP I use for making templates, like Test IP 1 and 2.
@nullnothere I have then run some nmap tests:
The first is from a server, not using the only 3389 allowed IP, scanning my main Hetzner server, it show:
Edit! I'm scanning from the only IP that have FTP access to my server.
The second is from the same server, but scanning a Windows VM on the Hetzner server, with all open ports and protocols in the Firewall.
Thats what you should expect? Little strange that the 3389 port is not listed in the first scan, but maybe because it's not from the allowed IP?
The last scan is from my OVH server. As you can see, there is more open ports there.
Edit 2
Wow, scanning my Hetzner server from a server that have no FTP/RDC access to my server, is showing this, no open ports at all. Completely blank.
That's what I call a good result. Don't believe I will get more login attempts on that server anymore...
Maybe I have to invest in a Cisco Firewall on my OVH server to do the same there??? But it's €19/mo
After all it doesn't tell why every now and then someone manages to try a login despite your rdp per ip restriction in windows firewall ;-)
No...and that's still strange. But after looking on the OVH nmap scan, I can see that PORTS 1027 and 2179 is open to the public. I have no IP restrictions on thees two ports. 2179 belongs to Hyper-V, don't know where I can find it in my firewall so I can create a IP block on it. The same with port 1027. I have tried blocking that port in my Win Firewall, still it's shows up as open.
So maybe my original issue has something with thees two ports to do?
You are not smart, and nether is your firewall software.
Thanks for your uplifting and kind words.
Never said that I was smart. But why do you believe that I'm not smart? Using Windows as OS? What Firewall software do you recommend to Windows Server 2012 R2?
Something by Steve Gibson. Dude knows how to open ports- he knows his shit.
I'm not surprised to see some of the Windows ports showing up as open - that is "normal"
- I'm not a Windows expert - possibly obvious by now ;-) so no ideas on how to lock them down.
Otherwise things look "good" and there may be some extra ports showing up when you scan from one of the "allowed" IPs - which is fine. The no-ports-open kind of scan is what you should really be aiming for (and verifying) - I think that's the best you can do at this level.
Regarding a decent firewall (software) for Windows, take a look at Tinywall (https://tinywall.pados.hu/) - In my using it, I've been pretty happy for my limited needs and it is far easier to manage than the Windows firewall (although use both as much as possible). Also, one caveat, by default it will also block outgoing traffic unless you whitelist it (a good safety measure for viruses etc. but painful otherwise).
Frankly, I'm not very impressed by the Hetzner firewall (esp. the 10 rule limit). I think OVH's firewall is much better (but probably more painful to configure).
Also, if you have IPs in the same subnet (or somewhat maskable), you should be able to reduce the rules by using a destination IP mask instead of a single IP at a time - that should help you add some additional rules as well.
Yea, the 10 rule limit is a joke, since it apply to all IPs.
The problem with that is that all my IPs is on the same subnet. So if I open that subnet, I also open my main IP. And then, I'm back at Start.
maybe ticket in and ask if they are able to raise this limit?
Did that, and got this reply:
Dear Client Currently there are no plans to further increase the amount of rules. The firewall is indeed bound to the port of your server on the switch and has nothing to do with separate IP addresses. You can stack some rules by adding several ports at once. We recommend to use the basic rules on the Hetzner firewall and if you need more refined rules maybe use an additional firewall on your server. Mit freundlichen Grüßen / Kind regards Dirk VetterBut the reply is strange. I have tested this, and if I remove one of my VMs IP from the Firewall rules, it's totally blocked right away. Etc my owncloud server. Right away after I update my Firewall, I can't access the site, the Owncloud client goes dark (no connection) and I can't access the server from SSH. Using Hyper-V console to access the server, and it will not ping anything outside the server. So enabling the Firewall do impact on my other IPs.
They moderated their reply after I replied back with the last part of my post over.
Dear Client That is exactly what was meant. The firewall is enabled for the switch port. So all IP addresses are affected. It is not somehow working on IP basis. In your case you have to handle all your important rules in a maximum of 10 rules, that is correct. Mit freundlichen Grüßen / Kind regards Dirk VetterSo it's was not me doing something wrong here.
yes indeed.
are the additional IPs really that close in the same subnet to the main IP?
if possible I'd try to use a really small netmask to get the allow access rule for the addon IPs into one rule. if they differ or are wide spread, then that won't work of course and either way you would at least need two rules to seperate the subnets/IPs
I kept out so far because I know basically nothing about Hetzners system. I would, however, strongly advise against using that firewall thingy.
For one because quite little is known about it; that doesn't change by some small docu. Firewalls are quite complex beasts and one shouldn't even waste ones time with a not-fully-documented firewall (and even if they provided full and good docu one should still question the wisdom of learning some obscure exotic fw instead of a wide spread "standard" one).
Second: What do you gain? It's on the switch if I got that correctly and hence doesn't offer any advantage but sparing some of your cpu's cycles. Unless a provider gives you some kind of access to their IX equipment it doesn't matter where in between a firewall is placed and it might be as well right on your server and hence under your full control.
As for DNS it seems they have hardwired their own recursive resolvers in the "firewall" and hence, as long as you don't use another resolver it works fine.
As for rdp I can't help you as I don't use those toys; as for ftp I'd suggest to put this off until everything else works fine as ftp is a troublemaker, particularly with a stateless firewall and if you want to support both passive and active mode.
Assuming you are running linux on your server I'd strongly suggest to use the firewall of linux. In case you don't know a lot about firewalls there are quite some useful GUI based utilities out there that make it easier to generate the rulesets you need.
@Hetzner
Stop that crap that just adds complexity. Rather offer a simple services based firewall gui. Something where clients can click something like "I want a web server, an email server and of course ssh" and then your script does the "magic".
The way you do it is the worst of compromises. I doesn't give the client any real power and doesn't make it easy for newbies.
Yea, they are of the Failover type, so not any subnet.
Three of them have xxx.xxx.xxx the same, and the rest have xxx.xxx the same.
Just got rid of my /28 subnet with them, since I'm not running so many VMs on my server.
Can anything be done to add multiple source ips in one rule?