I’ve found what I consider a vulnerability with the default setup of Destination NAT as documented by Ubiquity. A lot of people just follow the setup guides without really thinking about how it works. There are several YouTube videos that seem to follow this setup guide and if you follow it exactly how it’s written you open up your Firewall to whatever port you are trying to open externally. Here’s the link to the document:
And here’s a link to a video I did that shows how the vulnerability works:
This is not a plug for my YouTube channel but I can see if someone might think it is.
Ok so in the instructions you need to configure one firewall rule and two Destination NAT rules. It is the Firewall rule that I am most concerned about. Let’s say that I substitute TCP port 443 with say TCP/UDP port 3389 (RDP). In the instructions it states that I should create a new rule in the WAN_IN ruleset and that the rule should allow whatever port I want to open as the Destination Port, set the basic setting to accept, set the protocol (in this case TCP and UDP), and then nothing else. Without any further restrictions you’ve just allowed any computer that can point it’s Gateway address to your WAN IP address access to any system on the Internal network or networks over the port that was opened. Of course in my example I was using RDP so only Windows systems are affected but you may not want just anyone snooping around your Exchange server. Of course to make this work you are going to need to know the Internal IP addresses and when you make the connection, you are going to use the Internal IP of the device behind the Firewall. But I’m guessing the Internal subnet wouldn’t be too hard to guess. So if I were going to create this Firewall Rule I would probably limit the connections to just the Internal IP addresses or address group that allow for that service to be connected from the outside. I’m sure some of the more experienced users are probably like “No Duh!” but there’s probably thousands of other users that just follow what’s written and when it works don’t think twice about it.