search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.26k stars 571 forks source link

Restarting Mesh adds another firewall rule #3596

Closed NiceGuyIT closed 2 years ago

NiceGuyIT commented 2 years ago

Someone noticed there were many duplicate firewall rules for Mesh. After some research, it was determined that restarting Mesh adds another firewall rule. The following PowerShell script provides a count of the firewall rules.

$firewall = Get-NetFirewallRule -DisplayName "Mesh*"
$list = $(foreach ($rule in $firewall) {
    $filter = Get-NetFirewallPortFilter -AssociatedNetFirewallRule $rule
    #$item = @()
    "$($rule.DisplayName),$($rule.Enabled),$($rule.Direction),$($filter.Protocol),$($filter.LocalPort)"
    #$item
})
$list | Group-Object | ForEach-Object {
    $name, $enabled, $direction, $protocol, $localPort = $_.Name -split ','
    [PSCustomObject]@{
        'Count' = $_.Count
        'Name' = $name
        'Enabled' = $enabled
        'Direction' = $direction
        'Protocol' = $protocol
        'LocalPort' = $localPort
    }
} | Format-Table -AutoSize

Here are the counts for one computer.

Count Name                                    Enabled Direction Protocol LocalPort
----- ----                                    ------- --------- -------- ---------
    1 Mesh Agent Management Traffic (TCP-1)   True    Inbound   TCP      16990    
    1 Mesh Agent Management Traffic (TCP-2)   True    Inbound   TCP      16991    
    1 Mesh Agent Peer-to-Peer Traffic (UDP-1) True    Inbound   UDP      16990    
    1 Mesh Agent Peer-to-Peer Traffic (UDP-2) True    Inbound   UDP      16991    
    3 Mesh Agent peer-to-peer (UDP)           True    Inbound   UDP      16990    
    3 Mesh Agent management (UDP)             True    Inbound   UDP      16991    
    3 Mesh Agent peer-to-peer (TCP)           True    Inbound   TCP      16990    
    3 Mesh Agent management (TCP)             True    Inbound   TCP      16991

If I restart the service, the counts increase.

Count Name                                    Enabled Direction Protocol LocalPort
----- ----                                    ------- --------- -------- ---------
    1 Mesh Agent Management Traffic (TCP-1)   True    Inbound   TCP      16990    
    1 Mesh Agent Management Traffic (TCP-2)   True    Inbound   TCP      16991    
    1 Mesh Agent Peer-to-Peer Traffic (UDP-1) True    Inbound   UDP      16990    
    1 Mesh Agent Peer-to-Peer Traffic (UDP-2) True    Inbound   UDP      16991    
    4 Mesh Agent peer-to-peer (UDP)           True    Inbound   UDP      16990    
    4 Mesh Agent management (UDP)             True    Inbound   UDP      16991    
    4 Mesh Agent peer-to-peer (TCP)           True    Inbound   TCP      16990    
    4 Mesh Agent management (TCP)             True    Inbound   TCP      16991

Restarting the computer does not increase the firewall counts. Only restarting the service.

Moreover, restarting the computer does not clear the firewall rules. It seems as though the rules will continue to accumulate unless cleaned out manually.

MeshCentral v0.9.73

krayon007 commented 2 years ago

Interesting, will take a look at it

krayon007 commented 2 years ago

Ok, I fixed it. There was some old code that was still in there that added a firewall rule on service start. It was easy to find, since I saw that your accumulated rules included a TCP rule, which I had removed from the installer, because those TCP rules weren't needed. So I was able to reproduce and fix the issue. It will be in the next agent update.

Ylianst commented 2 years ago

Note that this fix requires an agent update, so the next version of MeshCentral with a new agent will have this fix. Hopefully next week.

NiceGuyIT commented 2 years ago

I'm curious, how do I know if a release has new agents included? The latest GitHub tag (v0.9.66 on Jan 7th) states agents were included but I noticed the GitHub tags don't match the NPM releases.

Actually, looking at all the GitHub tags, it looks like a GitHub tag is issued when new agents are released. Is this correct?

Thanks!

Note: I'm not trying to rush a release. I just want to know what to watch for.

krayon007 commented 2 years ago

I tag both repos whenever an npm release is made with new agents

JSuenram commented 2 years ago

@NiceGuyIT I can confirm this is fixed. Pls close....

NiceGuyIT commented 2 years ago

@JSuenram I'm waiting for new agents to be released (i.e. new GitHub tag). I'll close anyways.

NiceGuyIT commented 2 years ago

This PowerShell script will delete the extra firewall rules. Source: Yasd on Discord.

$rulenames = @('Mesh Agent peer-to-peer (TCP)','Mesh Agent peer-to-peer (UDP)','Mesh Agent management (TCP)','Mesh Agent management (UDP)')

foreach ($n in $rulenames) {

    $f = Get-NetFirewallRule -DisplayName $n

    if ($f.count -gt 1) {
        foreach ($r in $f[1..($f.count-1)]) { $r | Remove-NetFirewallRule}
    }
}