| Table of Contents |
|---|
Firewall
2022-09-16
Please ensure that the machine in use has a clear path for netflow traffic (udp/9995) from the remote device. This will mean checking for dedicated firewalls and router access-control lists as well as the opFlow machine itself.
The following output shows that the firewall for our Main-Primary has been disabled. You'll note that all "Chains" have an ACCEPT policy that there are no additional rules. This machine will not have local firewall issues as it is not running one.
| Code Block | ||
|---|---|---|
| ||
root@Main-Primary:~# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@Main-Primary:~# |
In the following example output the machine running opFlow is having issues receiving netflow traffic. We run the same command on this machine and get the following information in return.
| Code Block | ||
|---|---|---|
| ||
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5719K 2896M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
11 628 ACCEPT tcp -- any any 10.10.0.0/16 anywhere tcp dpt:ssh
32 2788 ACCEPT tcp -- any any 10.11.0.0/16 anywhere tcp dpt:ssh
30 1560 ACCEPT tcp -- any any 10.12.0.0/16 anywhere tcp dpt:ssh
15156 1273K ACCEPT icmp -- any any 10.15.0.0/16 anywhere icmp echo-request
3232 295K ACCEPT udp -- any any 10.15.0.0/16 anywhere udp dpt:snmp
281K 326M ACCEPT udp -- any any anywhere anywhere udp dpt:italk
5215 271K ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
7504 402K ACCEPT tcp -- any any anywhere anywhere tcp dpt:hbci
28636 1718K ACCEPT tcp -- any any anywhere anywhere tcp dpt:30017
2767K 3164M LOGGING all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 62723 packets, 29M bytes)
pkts bytes target prot opt in out source destination
6001K 3193M ACCEPT all -- any any anywhere anywhere state NEW,ESTABLISHED
Chain LOGGING (1 references)
pkts bytes target prot opt in out source destination
51210 58M LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "IPTables: Connection Blocked"
2767K 3164M DROP all -- any any anywhere anywhere |
When we look down the right-hand column of the "Chain INPUT" we can see that there is no reference to "udp 9995" (see in troubleshooting entries below). upd 9995 is being used as the target for netflow and, because it is not on the "ACCEPT" list (3rd column named "target") then that netflow traffic will pass down to the LOGGING target, which is Chain LOGGING. Logged into /var/log/syslog or /var/log/messages and then DROPped.
There are multiple packages used in Linux to manage the local firewall. You will need to contact your administrator or vendor for assistance in altering the rules to fix this issue.
If you do decide to proceed on your own we can take no responsibility for the following troubleshooting steps as we do not know your specific security exposure or procedures.
| Info | ||
|---|---|---|
| ||
DANGER: PRIOR TO FIREWALL TROUBLESHOOTING The following instructions show you how to disable the Linux firewall. We don't recommend proceeding without the administrators and network techs understanding their level of exposure prior to moving forward. This method will disable the firewall until the machine is restarted. |
Temporarily Disabling the Linux Firewall
...
iptables -F
If you proceed with this step the local firewall will have been disabled. Reboot the machine after troubleshooting to restore the firewall into service.
opFlow Dashboard is Bare (graphs show no data)
...