With NO Firewall, Malicious Events Reduce by 26X! Why?

41
4
NAS
DS220J, DS420J
Operating system
  1. Windows
Mobile operating system
  1. Android
2600 Router, SRM 1.3.1

When I turn off or disable the router's Firewall, the Malicious Events drop by 26X! Why?
This investigation started when I noticed a significant increase in Malicious Events when I add Firewall rules to block all countries except the U.S.
The ME graph below shows a sequence of Firewall rules starting with

1) NO Country blocks,

2) BLOCK ALL

3) COUNTRIES BUT the U.S.,

4) NO COUNTRY BLOCKS, and finally,

5) FIREWALL DISABLED.

The last step, 5, emphasizes the significance of the Firewall's relationship with Malicious Events.
I counted the ME for the 8 hours before and 8 hours after NO FIREWALL, shown as the last section in the graph below.
131 MEs with Firewall and 5 Events without Firewall. A 26X reduction.
Is there a problem with the security design of this router?
 

Attachments

  • me events no firewall.jpg
    me events no firewall.jpg
    76.4 KB · Views: 29
2600 Router, SRM 1.3.1

When I turn off or disable the router's Firewall, the Malicious Events drop by 26X! Why?
This investigation started when I noticed a significant increase in Malicious Events when I add Firewall rules to block all countries except the U.S.

Is there a problem with the security design of this router?
You've turned the firewall off and are suprised that this results in fewer events being triggered....??

If you add a firewall rule - eg block a list of countries - then this will result in more 'events' (ie firewall blocks) as traffic from those blocked countries hits the firewall and triggers the rule.

If you reduce the number of rules - or turn the firewall off completely - then you wont get as many (any?) events because there are no rules being triggered.

Makes sense?
 
Upvote 0
Last edited:
I'm not referring to Firewall Denys or hits. I'm referring to Threat Protection Drops or Events of Malicious Events.
Would not a Firewall rule significantly reducing the number of IP events also reduce the Malicious Events seen by Threat Protection?
For example, with Firewall set for "all countries blocks except U.S.", I get 4000 Denied and 1500 through. The 1500 through events are U.S.
Yet the Threat Protection Malicious Events increases by 26X above that with no Firewall enabled at all.
If I disable the Firewall, the Malicious Events reported by Threat Protection drop to a trickle.
The Firewall rules are attached when it is enabled and I get the increase in Malicious events.
-- post merged: --

You've turned the firewall off and are suprised that this results in fewer events being triggered....??

If you add a firewall rule - eg block a list of countries - then this will result in more 'events' (ie firewall blocks) as traffic from those blocked countries hits the firewall and triggers the rule.

If you reduce the number of rules - or turn the firewall off completely - then you wont get as many (any?) events because there are no rules being triggered.

Makes sense?
NO. You misunderstand. I dont understand why Threat Protection reports a significant Malicious Events decrease when I turn off the Firewall. Not Firewall hits but Threat Protection Events.
 

Attachments

  • firewall.jpg
    firewall.jpg
    33.4 KB · Views: 22
Upvote 0
None of your rules or any other detail of your LAN was in your OP above; it makes it difficult to help you when we don't get a full picture of your setup and you then drip feed key details only after people have offered suggestions.

What's your LAN / WAN topology? For example, are you behind a NAT'd router?
If you are this means that in their default state, only outgoing and established return connections are permitted by most NAT'd routers. In this case, rule #3 of your firewall (i'm assuming its for IN traffic) would circumvent this and allow ANY IP FROM THE USA into your router. Which in turn would trigger TP alerts. (Note: I'm not saying this is your setup; its an example of a scenario that would cause you to get the TP issues you're seeing).

More generally, what are you trying to accomplish with your FW rules as posted above? Are you really intending to allow any US IP into your router?? What is rule #2 about?
 
Upvote 0
I posted the Firewall Rules here. Simple Firewall rules to block all countries but the U.S. Results in about 75% firewall denial of packets to my router with Rest-of-World blocked. One would think that a significant reduction would reduce the threat noise needed to be handled by Threat Prevention.
I have a Synology 2600 connected to a cable modem from ISP providing 200 Mbps service. Simple home 1Gb LAN. No servers to the outside world, no nothing, just a simple home network using the browser from my laptop.

The issue is not Firewall, but Threat Prevention. Why is Threat Prevention reporting so many Malicious Events when the Firewall is reducing by 75% the packets and the threat noise that reaches Threat Prevention?

Further and most shocking is that if I disable the Firewall completely. With no Firewall monitoring at all, the Threat Prevention Malicious events drop to a trickle, about 26X less than when the Firewall was turned on. Just not making any sense right now.
 

Attachments

  • firewall.jpg
    firewall.jpg
    33.4 KB · Views: 20
Upvote 0
In SRM there is no way to switch off the firewall. But you can configure it with no additional rules and then set the bottom four [inbound] rules to either block or allow: setting blocked will stop Internet connections to the router and so stop TP processing them (processing is NAT -> firewall -> TP). However, this still allows internal devices to initiate connections to the Internet, and TP will process these. From this you can infer that the firewall’s final, hidden rule is to allow connections.
 
Upvote 0
When I turn off all the Firewall Rules, Malicious Events drop to almost nothing. When I turn on the Firewall rules, that block 70% of non-U.S. traffic, the Malicious Events Skyrocket.
The box at the bottom of the Firewall, to allow all traffic that matches no rules, when ticked to Allow, turns off the Firewall completely but I have not done that. Only turned off all the Firewall rules and when I do, Malicious events drop to nothing.
 
Upvote 0
When the bottom four rules are set to Allow then they permit the Internet to connect, when set to Deny then they block Internet inbound connections. This set of rules are only applied after the custom rules (top to bottom) are tested and no match is found. This is blocking the Internet inbound:

1668100022999.png


There is no equivalent set of rules aimed to control internal connections going to the Internet: internal devices are permitted access [Allow].


This probably makes no difference to your testing :)
 
Upvote 0
I wanted to chime in and say thanks @rkruz3 for raising this question, and @Fortran, @Telos, and @fredbert for fleshing it out. I just put a new RT6600ax online and was facing something similar. Thanks to this discussion walking me through my thinking, I found out just why TP was throwing so many alerts on my system. It was me! o_O

Like @rkruz3 I wanted to deny non-US based traffic. Unfortunately it appeared the only way to actually do that was to make a USA-allowed rule, implying the doing so denies all others. Uh… nope. That just overrides the default denials at the bottom under the chevrons. Basically, it lets all the US-based bad actors come to the party — who then have to be policed by the bouncer at the door (TP), who quite professionally logs each and every encounter and, because I enabled all email alerts, quickly tells me about each and every one, but no more often than every 10-minutes. Oh my. Oops. :oops:

I cleaned that up today and even though I can't explicitly set a single rule to deny all non-US traffic, then allow the router's basic rules below to handle the rest, I could set a rule to deny my "Top 15 Bad Actors". I set it for the Top 5 regions* that constitute about 90% of the felgercarb that annoying my system.

7
(new to Synology routers)

*Unfortunately, USA is one of the Top 5, but denying should break things. I am really intrigued by @rkruz3's "All Other Countries" rule and wonder how that works.
 
Upvote 0
even though I can't explicitly set a single rule to deny all non-US traffic, then allow the router's basic rules below to handle the rest, I could set a rule to deny my "Top 15 Bad Actors". I set it for the Top 5 regions* that constitute about 90% of the felgercarb that annoying my system.
You can allow US traffic, and deny all else. That effectively denies all non-US traffic, and is superior to blocking "the Top 5 regions".
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I was able to implement vlan network segmentation overnight while I was in another state remotely...
Replies
8
Views
242
With SMTP servers if they are where your domain is resolving to for mail then you can’t really block which...
Replies
4
Views
1,048
All. One minute I can see where to post then I look away and its gone (ok down off the page under...
Replies
0
Views
916
OK. I don't bother with QuickConnect for my router, there's nothing running on it that others need to have...
Replies
6
Views
2,745

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top