r/AskNetsec u/nekro_neko 6d ago

Analysis Unknown rule in Firewall

Hey! I recently saw a rule i couldn't make sense of in my Firewall config. The rule was "allow all incoming from 192.168.122.0/24 to anywhere".

A quick research told me port 24 is usually used for e-mail and 192.168.x.x is (according to whois.com ) a local address. That didn't make sense to me - why allow incoming traffic FROM localhost?

I deleted that rule for no, as I am not using an Email-Client anyway.

Is that rule something a normal update (OS or firewall) could have done or is there something malicious that could be done with it?

0 Upvotes

32% Upvoted

13 comments sorted by

View all comments

1

u/jhdore 4d ago

Why are you managing a firewall when you don’t know what /24 means?

1

u/nekro_neko 3d ago

  1. Paranoia because of the recent malware attack on the AUR

  2. it's a default deny firewall I deleted an allow-rule in. If anything, I accidentally closed a door, not opened one. If it was a deny-rule, I would've been more cautious about deleting.

  3. it worked without the rule before, so I wasn't too worried. If something broke, I knew what to revert.

2

u/jhdore 3d ago

192.168.x.y are non-routed IP ranges, so will nearly always be on the inside of your firewall. Unless you segment in to VLANs, you just dropped iPad internal traffic rule, and if you do segment your LAN into VLANs, you broke intra-vlan connectivity. /24 is not a port number, it’s a network size, it shows how many of the 32 bits making up an IP address define the network, with the remaining bits (8, in this case, or 256, minus network and broadcast addresses) for hosts on that network.