Press "Enter" to skip to content

Category: Uncategorized

Understanding IN, OUT, and LOCAL in Ubiquiti EdgeRouter and Unifi Firewall ACLs

EdgeRouter and Unifi routers are built on top of Linux with Netfilter/iptables. This gives them quite a bit of flexibility compared to other routing platforms systems based on proprietary operating systems.

Understanding how rules are applied in the netfilter stack are important in building an effective firewall.

IN and OUT Target Direction

IN and OUT rules are specifically for routing and only apply to packets that are going through the router, not originating from the router.

IN is processed first, and is the direction you should be using when trying to control what packets coming in on an interface should be doing.

For example, if you want to prevent your GUEST (eth2) network on 172.16.1.0/24 from communicating with your LAN (eth1) on 192.168.1.0/24…

set firewall name GUEST-IN rule 10 action drop
set firewall name GUEST-IN rule 10 description 'Drop traffic from GUEST to LAN'
set firewall name GUEST-IN rule 10 log disable
set firewall name GUEST-IN rule 10 protocol all
set firewall name GUEST-IN rule 10 source address 172.16.1.0/24
set firewall name GUEST-IN rule 10 destination address 192.168.1.0/24
set interfaces ethernet eth2 firewall in name GUEST-IN

Basically, you want to act on packets as early on in the stack as possible.

OUT rules are handled in the same way as IN rules and handled after IN rules. Because they are both handled in the netfilter FORWARD chain, they are technically handled in the same way and mostly are separated just for the benefit of the user.

LOCAL Target Direction

LOCAL rules are specifically for controlling traffic directed at the router and have no impact on routed traffic.

For example, if you wanted to restrict access to SSH from the WAN (eth0)…

set firewall name WAN-IN rule 10 action drop
set firewall name WAN-IN rule 10 description 'Drop SSH connections from WAN'
set firewall name WAN-IN rule 10 log disable
set firewall name WAN-IN rule 10 protocol tcp
set firewall name WAN-IN rule 10 destination port 22
set interfaces ethernet eth0 firewall in name WAN-IN

LOCAL rules are applied to the netfilter INPUT chain. There is no way to add rules to the netfilter OUTPUT chain unless you directly insert them in via iptables.

‘Official’ Documents Fraud: “Records Division” dmpoptout.com, Direct Mail Processing LLC

Got an interesting bit of mail today, pretending to be ‘time sensitive’ ‘second notice’ ‘important documents’:

The Envelope

The from is ‘Records Division’, P.O. Box 2910, Kennesaw, GA 30156-9843.

Inside, there was a document labeled ‘T-2’ and titled ‘2020 Benefit Information For Idaho Citizens Only’.

The Insert Meant To Look Like A Tax Document

Looks an awful lot like an IRS or state tax document, right?

Of course, after all of the official looking (but fake) text, they include ‘Not affiliated with or endorsed by any government agency.’ in small letters.

There’s also a web address, dmpoptout.com.

Where To Send It To

This fake ‘tax’ document is supposed to be mailed back to Direct Mail Processing, LLC P.O. Box 100080, Kennesaw, GA 30156-9912.

A quick google of dmpoptout.com brings up some interesting background on this company. ScamPulse in particular has some interesting reports – most of them about misleading mailings targeting elderly victims.

dmpoptout.com makes dubious claims of not being involved with the scam mailings they are handling:

Their Website Claims

Protect yourself and your friends and family by making sure they can recognize these scams. As always, if you believe you have been the victim of a scam, contact your state’s consumer protection agency.

Installing The Unifi Controller On Debian Buster

IHere’s what you need to do to run the Unifi Controller on Debian Buster:

Add the following to /etc/apt/sources.list:

deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main

Do:

wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | apt-key add -

(thx u/theinvisibleman_ for the key update info on his post here)

Grab:

http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
http://security.debian.org/debian-security/pool/updates/main/o/openjdk-8/openjdk-8-jre-headless_8u232-b09-1~deb9u1_amd64.deb

Do:

 dpkg -i <package deb file>

To install both of those packages. Then:

 apt-get update

And install the mongodb packages:

 apt-get install mongodb-org-server mongodb-org-tools mongodb-org-shell

This should give you all you need to install the controller deb.

If I missed any depends, let me know as I threw this together after the fact and may have forgotten something.

IODD 2531 – The Better Way To Do USB Boot Media

I’ve had one of the IODD USB storage devices for a while – specifically the IODD 2531.

It’s a great little device – an external USB enclosure with a display that allows you to select ISO images to ‘insert’ into a virtual USB CD-ROM drive. It can also emulate a USB Floppy Disk drive.

Since it doesn’t come with a hard drive included, you can put your own 2.5in SATA drive in. I used an old 120GB SSD which makes for extremely fast installs of Windows, Linux, etc.