[Freedombox-discuss] Security issues if running wireshark on FreedomBox?

A. F. Cano afc54 at comcast.net
Mon Feb 26 23:39:47 GMT 2024


I've noticed quite a bit of traffic going out the external interface of
the FreedomBox, when I wasn't doing anything internally to justify it.

My FreedomBox (stable) sits between my internal networks and the internet,
so to make it usable, I had to enable in to out forwarding:

$ sudo firewall-cmd --permanent --new-policy int_to_ext_fwd
$ sudo firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
$ sudo firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
$ sudo firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
$ sudo firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT

So now I'm wondering if something I have running on the internal
machines is causing all this traffic, such as many tabs in browsers.

How advisable is it to manually lock down firewalld on the FreedomBox
when not in use?

$ firewall-cmd --lockdown-on
$ firewall-cmd --lockdown-off

This seems to be a little too drastic.  Still, is anyone using this as a
routine precaution?

I have installed wireshark and
the 127 dependencies with the default (secure) optionss.  Tried to start
a capture remotely:

$ ssh -X -l <admin-user-on-freedombox> <FreedomBox> wireshark

But the regular admin user doesn't have enough permissions:

 ** (wireshark:736228) 17:30:33.662313 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:736228) 17:30:34.044134 [Capture MESSAGE] -- Error message from child: "You do not have permission to capture on device "enp1s0".
(socket: Operation not permitted)", "Please check to make sure you have sufficient permissions.

On Debian and Debian derivatives such as Ubuntu, if you have installed Wireshark from a package, try running

    sudo dpkg-reconfigure wireshark-common

selecting "<Yes>" in response to the question

    Should non-superusers be able to capture packets?

adding yourself to the "wireshark" group by running

    sudo usermod -a -G wireshark {your username}

and then logging out and logging back in again.

If you did not install Wireshark from a package, ensure that Dumpcap has the needed CAP_NET_RAW and CAP_NET_ADMIN capabilities by running 

    sudo setcap cap_net_raw,cap_net_admin=ep {path/to/}dumpcap

and then restarting Wireshark."
 ** (wireshark:736228) 17:33:20.162646 [GUI WARNING] -- QXcbConnection: XCB error: 3 (BadWindow), sequence: 2001, resource id: 39105695, major code: 40 (TranslateCoords), minor code: 0
 ** (wireshark:736228) 17:33:20.165464 [Capture MESSAGE] -- Capture stopped.

The instructions are clear as to why this failed, but before I
reconfigure wireshark appropriately, would this open a security risk?

Is anyone using wireshark on a FreedomBox to analyze traffic? Does
anyone have suggestions for filters to remove inoffensive noise and
still capture problematic traffic coming from the inside?   Previous
attemps to use wireshark produced so much output that it was extremely
time-consuming going through the generated logs where most of the
entries were for dns, mdns, arp and other apparently necessary noise.

Ultimately, what I would love to have is a real-time display with only
the kind of problematic traffic that would require some action.

Any suggestions out there?  Thanks.


More information about the Freedombox-discuss mailing list