With NO Firewall, Malicious Events Reduce by 26X! Why?

[rkruz3]

2600 Router, SRM 1.3.1

When I turn off or disable the router's Firewall, the Malicious Events drop by 26X! Why?
This investigation started when I noticed a significant increase in Malicious Events when I add Firewall rules to block all countries except the U.S.
The ME graph below shows a sequence of Firewall rules starting with

1) NO Country blocks,

2) BLOCK ALL

3) COUNTRIES BUT the U.S.,

4) NO COUNTRY BLOCKS, and finally,

5) FIREWALL DISABLED.

The last step, 5, emphasizes the significance of the Firewall's relationship with Malicious Events.
I counted the ME for the 8 hours before and 8 hours after NO FIREWALL, shown as the last section in the graph below.
131 MEs with Firewall and 5 Events without Firewall. A 26X reduction.
Is there a problem with the security design of this router?

 

[Deleted member 5784]

2600 Router, SRM 1.3.1

When I turn off or disable the router's Firewall, the Malicious Events drop by 26X! Why?
This investigation started when I noticed a significant increase in Malicious Events when I add Firewall rules to block all countries except the U.S.

Is there a problem with the security design of this router?

You've turned the firewall off and are suprised that this results in fewer events being triggered....??

If you add a firewall rule - eg block a list of countries - then this will result in more 'events' (ie firewall blocks) as traffic from those blocked countries hits the firewall and triggers the rule.

If you reduce the number of rules - or turn the firewall off completely - then you wont get as many (any?) events because there are no rules being triggered.

Makes sense?

 

[Telos]

Back story and here.

 

[Deleted member 5784]

Back story and here.

Getting a 404 on yr 1st link @Telos...regardless, unless there's something fundamental I'm not seeing here I've got to admit to being a little baffled by the premise of the original post...??

 

[Telos]

Getting a 404 on yr 1st link

@Fortran Apparently a community mod deleted it as it was basically a repost of the other one I linked.

 

[rkruz3]

I'm not referring to Firewall Denys or hits. I'm referring to Threat Protection Drops or Events of Malicious Events.
Would not a Firewall rule significantly reducing the number of IP events also reduce the Malicious Events seen by Threat Protection?
For example, with Firewall set for "all countries blocks except U.S.", I get 4000 Denied and 1500 through. The 1500 through events are U.S.
Yet the Threat Protection Malicious Events increases by 26X above that with no Firewall enabled at all.
If I disable the Firewall, the Malicious Events reported by Threat Protection drop to a trickle.
The Firewall rules are attached when it is enabled and I get the increase in Malicious events.

-- post merged: 9. Nov 2022 --

You've turned the firewall off and are suprised that this results in fewer events being triggered....??

If you add a firewall rule - eg block a list of countries - then this will result in more 'events' (ie firewall blocks) as traffic from those blocked countries hits the firewall and triggers the rule.

If you reduce the number of rules - or turn the firewall off completely - then you wont get as many (any?) events because there are no rules being triggered.

Makes sense?

NO. You misunderstand. I dont understand why Threat Protection reports a significant Malicious Events decrease when I turn off the Firewall. Not Firewall hits but Threat Protection Events.

 

[Deleted member 5784]

None of your rules or any other detail of your LAN was in your OP above; it makes it difficult to help you when we don't get a full picture of your setup and you then drip feed key details only after people have offered suggestions.

What's your LAN / WAN topology? For example, are you behind a NAT'd router?
If you are this means that in their default state, only outgoing and established return connections are permitted by most NAT'd routers. In this case, rule #3 of your firewall (i'm assuming its for IN traffic) would circumvent this and allow ANY IP FROM THE USA into your router. Which in turn would trigger TP alerts. (Note: I'm not saying this is your setup; its an example of a scenario that would cause you to get the TP issues you're seeing).

More generally, what are you trying to accomplish with your FW rules as posted above? Are you really intending to allow any US IP into your router?? What is rule #2 about?

 

[rkruz3]

I posted the Firewall Rules here. Simple Firewall rules to block all countries but the U.S. Results in about 75% firewall denial of packets to my router with Rest-of-World blocked. One would think that a significant reduction would reduce the threat noise needed to be handled by Threat Prevention.
I have a Synology 2600 connected to a cable modem from ISP providing 200 Mbps service. Simple home 1Gb LAN. No servers to the outside world, no nothing, just a simple home network using the browser from my laptop.

The issue is not Firewall, but Threat Prevention. Why is Threat Prevention reporting so many Malicious Events when the Firewall is reducing by 75% the packets and the threat noise that reaches Threat Prevention?

Further and most shocking is that if I disable the Firewall completely. With no Firewall monitoring at all, the Threat Prevention Malicious events drop to a trickle, about 26X less than when the Firewall was turned on. Just not making any sense right now.

 

[fredbert]

In SRM there is no way to switch off the firewall. But you can configure it with no additional rules and then set the bottom four [inbound] rules to either block or allow: setting blocked will stop Internet connections to the router and so stop TP processing them (processing is NAT -> firewall -> TP). However, this still allows internal devices to initiate connections to the Internet, and TP will process these. From this you can infer that the firewall’s final, hidden rule is to allow connections.

 

[rkruz3]

When I turn off all the Firewall Rules, Malicious Events drop to almost nothing. When I turn on the Firewall rules, that block 70% of non-U.S. traffic, the Malicious Events Skyrocket.
The box at the bottom of the Firewall, to allow all traffic that matches no rules, when ticked to Allow, turns off the Firewall completely but I have not done that. Only turned off all the Firewall rules and when I do, Malicious events drop to nothing.

 

[fredbert]

When the bottom four rules are set to Allow then they permit the Internet to connect, when set to Deny then they block Internet inbound connections. This set of rules are only applied after the custom rules (top to bottom) are tested and no match is found. This is blocking the Internet inbound:

There is no equivalent set of rules aimed to control internal connections going to the Internet: internal devices are permitted access [Allow].


This probably makes no difference to your testing

 

[rkruz3]

Got it. thanks

 

[7Natives]

I wanted to chime in and say thanks @rkruz3 for raising this question, and @Fortran, @Telos, and @fredbert for fleshing it out. I just put a new RT6600ax online and was facing something similar. Thanks to this discussion walking me through my thinking, I found out just why TP was throwing so many alerts on my system. It was me!

Like @rkruz3 I wanted to deny non-US based traffic. Unfortunately it appeared the only way to actually do that was to make a USA-allowed rule, implying the doing so denies all others. Uh… nope. That just overrides the default denials at the bottom under the chevrons. Basically, it lets all the US-based bad actors come to the party — who then have to be policed by the bouncer at the door (TP), who quite professionally logs each and every encounter and, because I enabled all email alerts, quickly tells me about each and every one, but no more often than every 10-minutes. Oh my. Oops.

I cleaned that up today and even though I can't explicitly set a single rule to deny all non-US traffic, then allow the router's basic rules below to handle the rest, I could set a rule to deny my "Top 15 Bad Actors". I set it for the Top 5 regions* that constitute about 90% of the felgercarb that annoying my system.

7
(new to Synology routers)

*Unfortunately, USA is one of the Top 5, but denying should break things. I am really intrigued by @rkruz3's "All Other Countries" rule and wonder how that works.

 

[Telos]

even though I can't explicitly set a single rule to deny all non-US traffic, then allow the router's basic rules below to handle the rest, I could set a rule to deny my "Top 15 Bad Actors". I set it for the Top 5 regions* that constitute about 90% of the felgercarb that annoying my system.

You can allow US traffic, and deny all else. That effectively denies all non-US traffic, and is superior to blocking "the Top 5 regions".