Any Ubiquiti Unifi users? - Questions on zone firewall policies
I'd normally post this on reddit...but I thought I'd give the Tildes Tech Support Team a try.
I have a Ubiquiti Unifi Cloud Gateway Ultra and I'm trying to better understand zone firewall management and VLANs and all that.
I'll start with a screenshot. I'm only changing the two settings highlighted in red.
I'm trying to understand the difference between two firewall policy settings:
Action = AllowONLY, ANDConnection State = Return TrafficAction = AllowANDAuto Allow Return Traffic checked, ANDConnection State = All
I have two VLANs -- "Internal" and "Lab." Each is in their own policy zone, also called "Internal" and "Lab." The "Internal" VLAN does not have the "Isolate Network" option checked, but "Lab" does.
What I want is devices in "Internal" able to initiate and maintain connections with devices in "Lab." But I don't want devices in "Lab" able to initiate connections to devices in "Internal."
With Policy 1, "Internal" can't reach "Lab" nor vice versa. Hmm.
With Policy 2, "Internal" can ping and SSH into devices in "Lab," but not the other way around. Perfect; that's what I want.
And now my question(s): What is the difference between these two policies? To me, they look the same. But clearly the end results say they're not. So what's actually going on here? Additionally, assuming I could get Policy 1 to do what I want, is Policy 2 more vulnerable from a cybersecurity perspective than Policy 1?
If it helps, here's a screenshot of my zone matrix, with focus on source "Internal" and destination "Lab."
Thanks!
This is my distant, and possibly wrong, understanding of the potential difference based on what I've been able to find online (unifi forums, etc) mixed with some of my existing knowledge:
IMO (unless I'm way off base) the way these settings are designed and worded (as "return" seems to denote two different things) seems to be a bit poor, leading to really confusing conflicting states like this
Also appears that bugs with rule ordering and such have caused weird behavior: https://community.ui.com/questions/Network-Isolation-Traffic-Rule/4405252c-8883-4549-8df3-0ab5882759c1?page=2
Huh, the person in that reddit thread seemed to have the opposite issue of me.
Auto Allow Return Trafficchecked didn't work, but using theConnection State = Return Traffic, did for them. Interesting. Maybe that was just a bug in the system. It must've been fixed since.Anyway, both links were very informative and helped me understand what's going on here. I think.
I'm not sure the has anything to do with Network Isolation. That's because, generally speaking, new zones -- Such as Lab -- are by default blocked from communication with other zones. I did try turning off Network Isolation on Lab and nothing changed and running both Policies 1 and 2, and nothing changed
What was key to all this was this comment from u/powerstream:
As such, that means that the "Connection States" are only ever applied to traffic originating from a source. You're right that
Return Trafficis a bit of a misnomer. At least in this case where Internal is the originating zone. The tooltip for that option says it's the same as selectingCustomand then checking bothEstablishedandRelated.Starting with Policy 1, I created a rule in Lab -> Internal that's
Action = AllowandConnection State = Return Traffic.That only affects (in this case, allows) traffic originating outside of Lab.Then in the Internal -> Lab zone, I started playing with the original rule, particularly the Connection State. And then I started pinging from my local computer in Internal to my VM in Lab.
With
Connection State = New, only the first ping in the sequence was successful, because that was a new connection. All other pings in the sequence are nowEstablishedbut those aren't explicitly allowed.With
Connection State = New && Established, now the full ping sequence happens. The first ping isNewbut the rest of the pings are via anEstablishedconnection. I can let the pings go on forever.With
Connection State = Established, provided I didn't stop the previous ping, the ping will go on forever. But if I stop the ping and start a new ping, then it won't work. Because now the first ping isNewand blocked and the connection is neverEstablished.Relatedis the only one I don't understand (Well,Invalid, sorta, but I don't know its use case).All that to say, thanks for pointing me in the right direction! Your explanation plus others' on Reddit and the official Unifi forums helped to explain how this works.
Sure! Also thanks for replying with these findings after the fact! This stuff always gets mega confusing haha :)
Another note: for related/invalid, Unifi lists it like this:
I believe, in practice, related, means if it can tell the "new" connection is somehow related to an established connection. As a crude example: you start an FTP connection to a server, and a "new" connection happens for the data transfer after authorizing/establishing the FTP connection- this new connection for the transfer itself is related to the existing open FTP connection.
Someone online described invalid as being packets caught in a weird state, whether odd / malformed / stale / associated with now-closed connections- basically traffic that doesn't match any of the other states, and can both be malicious and non-malicious:
The youtuber SpaceRex put out a video on the new Zone Firewall rules. Maybe it will help:
https://www.youtube.com/watch?v=oetH1_0LSmo
Disclaimer: I haven't watched it.
Thanks for sharing. I watched the whole thing, but unfortunately he doesn't go into great depth with the various options. But it was good foundational info nonetheless. Good timing, too!
As an aside, I've noticed Tildes has a surprisingly incredible breadth for advice given our fairly small population.
Thanks everyone!
More of a question than an answer...
Admittedly, I'm not a networking professional, but know enough to poke through pfSense / OPNsense and set up basic rules. I didn't realize that such a setup would be possible. In order to establish a two-way connection (which SSH would be, right?), wouldn't both zones have to allow bidirectional traffic?
If the above is true, does the "Auto Allow Return Traffic" create some sort of dynamic exception? Kind of like how UPnP can open ports dynamically?
Correct, both zones need to allow traffic in either direction, but with only one side able to initiate that connection.
Each rule in Unifi handles direction in one way (see my other comments in this thread). So that's why the "Auto Allow Return Traffic" has to be checked, which automatically creates the allow return traffic rule in the corresponding zone. Or if not checked, then a rule in the "reverse" zone has to be manually created to allow that return traffic.
I can't really answer the UPnP portion, since I don't know enough about UPnP. But it seems like Yes? I can restrict the ports and protocols if I want. I can even say specific devices that I want connections from and/or to. But provided whatever combination of devices and type of service I'm trying to run matches with a rule (or doesn't match a rule), then a connection can be made and return traffic will flow.
In my example, I was using SSH and just pings (ICMP). But I could've run FTP. Or port 80 web traffic. Or whatever, because I didn't set specific ports/protocols to allow or exempt. In that sense, I guess it is dynamic.
I re-read your other comment and can see you were able to accomplish this with "connection states." To append to what you shared, I found an article on connection states in pfsense. These paragraphs seem to relate to what you're doing (but again, is related to how it's handled in pfsense, not necessarily in UniFi):
I'm sure the implementation details for how the firewall software establishes this state is quite complex, but it's interesting how they call out protocol as an identifier, then say that it's smart enough to group "related traffic."