Questions tagged with AWS Network Firewall
Content language: English
Sort by most recent
Hi: wondering if an AWS technical support could look into this to determine why the request is coming back FORBIDDEN ... two requestId's below to compare ...
**Request Header (identical for both requests)**
OPTIONS https://api.flybreeze.com/production/nav/api/nsk/v1/token HTTP/1.1
Host: api.flybreeze.com
Connection: keep-alive
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin: https://www.flybreeze.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.51
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-Fetch-Dest: empty
Referer: https://www.flybreeze.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
**FORBIDDEN Response Header**
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
Date: Thu, 30 Mar 2023 18:51:50 GMT
**x-amzn-RequestId: 7bb21b87-6ecd-4dc1-8e07-bef8e7172d71**
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,Platform
**x-amzn-ErrorType: ForbiddenException**
x-amz-apigw-id: Cm8LHG-koAMFlBA=
Access-Control-Allow-Methods: OPTIONS,POST
**X-Cache: Error from cloudfront**
Via: 1.1 9a63a58e298bfb2c58157beda1f6de12.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: DEN52-P1
X-Amz-Cf-Id: Wixm-reIOJukfeov0CcZmEfAy7e1ASejSVj6kmCbqe-BRZyqnUNoYQ==
Response Message
{"message":"Forbidden"}
**Below is a successful Response Header. Only difference is the ISP. The forbidden call was using fiber.net (host-145.arcadia-srv-216-83-134.fiber.net). The successful call was from the same web browser on the same machine, but tethered to T-Mobile hotspot.**
**Why would AWS block one request but not the other based on the ISP?**
**SUCCESSFUL Response Header**
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 0
Connection: keep-alive
Date: Thu, 30 Mar 2023 16:54:08 GMT
**x-amzn-RequestId: e1e7b624-dc5b-43d1-bfcd-434ee36bd580**
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token
x-amz-apigw-id: Cmq7qH32IAMFodw=
Access-Control-Allow-Methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT
**X-Cache: Miss from cloudfront**
Via: 1.1 0c32860274691581031a51698ea82be8.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LAX53-P4
X-Amz-Cf-Id: UlBl6kMeG-q_hD9J_9u9tqeWJOywEwNrtYcPSuQSQKJs3RiuRXApPA==
Response Message:
{null}
I have a .net windows application (exe) which I would like to run on my windows ec2 instance.
I can run it on my computer at home but it doesnt even load (no error or any message) when I try to run it.
The application connects to a remote api and database. (it has no publisher credentials)
I am new to this. What are the general /most common settings I am missing here to get it to work? Both aws and windows firewall settings for example.
i am trying to understand how aws based suricata rules work. With these two rules below, all websites are working and i expect only for google.com to work. Am i missing any thing ? i understand that the order is pass, and then drop. i added the drop tcp with flow so tls.sni will be evaluated and the pass rule will work. It seems like it is working BUT i expected all other sites that don't match to not work ? (i have tried the DOMAIN LIST rule and that too doesn't work)
NOTE - default order is in use, no stateless rules, forwarding frag and no frag packets is configured, INT network forward to FW SUBNET and then to the NAT SUBNET which then forward to IGW. HOME_NET is the VPC CIDR and EXTERNAL_NET is 0.0.0.0/0
Rule 1
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:".google.com"; nocase; endswith; msg:"pp-Permit HTTPS access"; sid:1000001; rev:1;)
Rule 2
drop tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; msg:"pp-Deny all other TCP traffic"; sid: 1000003; rev:1;)
Hi. Is it possible to set up routing rules for pods in EKS using standard mesh plugins? I’m not able to install plugins like Calico.
Hi,
Im trying to deploy a AWS WAF behind the AWS Network firewall.
Currently my setup has two Subnets under one VPC Public and Private.
Under Public Subner have give the firewall to work and private subnet for the WEB server just enabled http service.
Right now im trying to deploy AWS WAF behind the Network Firewall.
Is this possible or how should i take this forward on this.
I host a few ubuntu instances on lightsail. I have observed something which I cannot explain. This is not an isolated situation and expect that others would observe the same exposure of their Private Ip without benefit of the firewall rules assigned to the Lightsail Instance. Check your auth log ( ubuntu grep "preauth" /var/log/auth.log ) and see if you observe the same results... I think you will as all of my 10 or so instances show same !
Private Ip 172.xx.x.74
**The ubuntu /var/log/auth.log shows external IP's attempting to brute force ssh on this PRIVATE ip.**
The brute force ssh attempts are not coming from AWS.. The 1st example below is coming out of Suraj Network, INDIA.
Why / How are these bad actors having a connection to the private IP on the Lightsail instances ? PORT 49986 is not enabled through the lightsail network firewall, are there improper connections from Lightsail to outside ISP's ?
I have found other examples digital ocean, Huawei, Vietnam Posts and Telecommunications Group ?
**IS THERE A LARGER PROBLEM THAT AMAZON SHOULD BE AWARE OF ?**
Command:
```
grep "preauth" /var/log/auth.log
shows:
Mar 12 16:39:25 ip-172-xx-x-74 sshd[10046]: Received disconnect from 103.72.6.149 port 49986:11: Bye Bye [preauth]
Mar 12 16:39:25 ip-172-xx-x-74 sshd[10046]: Disconnected from invalid user applmgr 103.72.6.149 port 49986 [preauth]
Mar 12 16:39:43 ip-172-xx-x-74 sshd[10048]: Received disconnect from 106.246.226.66 port 45478:11: Bye Bye [preauth]
Mar 12 16:39:43 ip-172-xx-x-74 sshd[10048]: Disconnected from invalid user server 106.246.226.66 port 45478 [preauth]
Mar 12 16:39:45 ip-172-xx-x-74 sshd[10050]: Received disconnect from 171.244.39.233 port 52840:11: Bye Bye [preauth]
Mar 12 16:39:45 ip-172-xx-x-74 sshd[10050]: Disconnected from invalid user bXXXh 171.244.39.233 port 52840 [preauth]
Mar 12 16:39:52 ip-172-xx-x-74 sshd[10053]: Received disconnect from 148.66.132.190 port 52944:11: Bye Bye [preauth]
Mar 12 16:39:52 ip-172-xx-x-74 sshd[10053]: Disconnected from invalid user admin 148.66.132.190 port 52944 [preauth]
Mar 12 16:39:55 ip-172-xx-x-74 sshd[10055]: Received disconnect from 196.203.207.165 port 34038:11: Bye Bye [preauth]
Mar 12 16:39:55 ip-172-xx-x-74 sshd[10055]: Disconnected from invalid user testuser 196.203.207.165 port 34038 [preauth]
Mar 12 16:40:44 ip-172-xx-x-74 sshd[10062]: Received disconnect from 14.139.58.153 port 49158:11: Bye Bye [preauth]
Mar 12 16:40:44 ip-172-xx-x-74 sshd[10062]: Disconnected from invalid user julio 14.139.58.153 port 49158 [preauth]
Mar 12 16:41:02 ip-172-xx-x-74 sshd[10065]: Received disconnect from 103.72.6.149 port 39856:11: Bye Bye [preauth]
Mar 12 16:41:02 ip-172-xx-x-74 sshd[10065]: Disconnected from invalid user john 103.72.6.149 port 39856 [preauth]
Mar 12 16:42:39 ip-172-xx-x-74 sshd[10248]: Received disconnect from 14.139.58.153 port 50592:11: Bye Bye [preauth]
Mar 12 16:42:39 ip-172-xx-x-74 sshd[10248]: Disconnected from invalid user test01 14.139.58.153 port 50592 [preauth]
Mar 12 16:42:41 ip-172-xx-x-74 sshd[10250]: Received disconnect from 103.72.6.149 port 39386:11: Bye Bye [preauth]
Mar 12 16:42:41 ip-172-xx-x-74 sshd[10250]: Disconnected from invalid user user 103.72.6.149 port 39386 [preauth]
Hi there,
I'm trying to replace my ha-proxy functionality by the AWS native services and my plan is use :
```
NLB ---|Network Firewall (NFW)|--->ALB (with WAF)---> appVPC endpoint
```
I know NLB now can offload TLS but can it send it (the unencrypted traffic) to an ALB for the NFW to do the traffic inspection? The new `alb-type` target-group needs to be used for the NLB to forward the traffic to an ALB and looks like a `TLS` listener cannot be used for that? Otherwise I think I have to use two ALBs, like this:
```
NLB ---> ALB1(+WAF)---|Network Firewall (NFW)|--->ALB2---> appVPC endpoint
```
which I'm trying to avoid. Is it possible to achieve my goal with a single ALB?
-S
asked 22 days ago
maybe i already got an answer in my mind but still ill left this question here.
My team try to deploy AWS native network firewall insted of 3rd party firewall like Fortinet, Paloalto to our customer.
So we currently working on various case scenario with rules. and what make us bugging is standard rules like rules inside 5-tuple-rule groups seem to not have ability to left their rule id or something like that on log regardless of its alert or just flow.
Im sure this could be a huge pain in the a@# to the infra/security administrator when they dealing with trouble shooting some traffic flow related issues.
So what i want to know is is there any CLI hidden options to enable rule id or again Suricata custom rule is the answer?
I have a large machine S that lives behind NAT and can only be accessed via VPN. As a quick access hack, I want to use an EC2 t2.micro instance to serve as a port-forwarding router node so I can use that EC2 instance's public IP and a port that I specify to connect to machine S. This port-forwarding works with high ports. However, I really want to use the default port 22 since the only purpose of this EC2 instance is to forward traffic (so it is a waste to have to specify ports every time). To do this, I changed my /etc/ssh/sshd_config to run normal ssh for the ec2 instance on port 222 instead and I changed some other settings to change the following to yes: AllowTcpForwarding, AllowStreamLocalForwarding, GatewayPorts. This appears insufficient though as I get a binding error when I try to bind to 22. Higher ports (e.g. 2222) work. However, I can't start on 22. I have a TCP rule in my security group for the EC2 instance that allows outbound/inbound traffic for all ip addresses to all ports. Why am I facing this issue? Is there a neat solution. Is there a network-specific instance that better serves this usecase. For weird reasons, I might need to do this more times.
Hi,
I have two clients and both are using 172.22.0.0/16 in their on-prem network.
I have established IPSec VPN with both (using static routing) and have terminated the VPN on TGW in eu-west-1 for both. Both customers connect to their respective VPC (no overlapping CIDRs in VPCs). Customer-A connects to VPC-A. Customer-B connects to VPC-B.
I'm making use of separate routing tables for each of them. There are total of 4 routing tables.
Customer-A traffic gets routed to VPC-A using VPN-A-RT. Return traffic gets back to Customer-A using VPC-A-RT.
Customer-B traffic gets routed to VPC-B using VPN-B-RT. Return traffic gets back to Customer-B using VPC-B-RT.
Now, I need to put a AWS Network Firewall (AWNF) in an Inspection-VPC and filter both VPNs traffic.
What I can do is that I can route traffic for each VPN using its respective route table to Inspection VPC.
Using an Firewall-RT, I can then forward traffic to their respective VPC.
Issue/Problem:
When I get the (response) traffic back from VPCs (VPC-A and VPC-B) to the Inspection-VPC, how do I make sure that the response traffic eventually gets back to each customer properly, given then both use 172.22.0.0/16 on prem. Using the Firewall-RT, I can route the return traffic to only one customer's VPN, either Customer-A or Customer-B VPN.
Can this issue be fixed by using policies in CloudWAN? Can I make use of CloudWAN for single TGW (or completely replace TGW with Core Network in Global Network) and use segments, policies and/or tags to make sure that I can do more of a policy based routing in this scenario? At this time, I'm trying to find a solution which does not involve private NAT sort of thing to managed overlapping on-prem CIDRs.
I want to provide access of my EC2 instance to another company. The problem is that their IP addresses change and due to this, I can not harcode the IP addresses in the security groups of EC2 instance. Now my question is that is it possible to configure security rules for inbound traffic on the basis of DNS? I have also tried to check the AWS Network Firewall service. In AWS Network Firewall, we can easily block domains for the outbound traffic but in my case, i only want to allow inbound traffic for the hostname with a specific DNS? It seems like that the AWS Network firewall configurations do not support rules based on DNS lookup? Can anyone guide me in this regard if it's possible in AWS using AWS Network Firewall or some other service?
AWS Network Firewall seems to easily log the domain names (via HTTP or SNI headers) of sites that are blocked.
However, what if I wanted to also log domain names that are **allowed**? I have tried adding an IPv4 rule with protocol 'HTTP' as well as 'TLS' with an 'alert' action; as well as a Suricata rule, such as:
```
alert tls any any -> any any (flow:established,to_server; msg:"Log TLS domains, after establishment and protocol identification"; sid: 1000001; rev:1;)
```
But neither causes *allowed* domains to get logged. Is it possible?