Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disabling Port Forward

    Scheduled Pinned Locked Moved NAT
    29 Posts 4 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • denningsrogueD
      denningsrogue
      last edited by

      Here is the port forward entry.

      ![Screen Shot 2014-10-17 at 09.36.59.png](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.36.59.png)
      ![Screen Shot 2014-10-17 at 09.36.59.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.36.59.png_thumb)

      1 Reply Last reply Reply Quote 0
      • denningsrogueD
        denningsrogue
        last edited by

        Here are the rules.

        ![Screen Shot 2014-10-17 at 09.37.20.png](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.37.20.png)
        ![Screen Shot 2014-10-17 at 09.37.20.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.37.20.png_thumb)

        1 Reply Last reply Reply Quote 0
        • denningsrogueD
          denningsrogue
          last edited by

          Here is the specific rule.

          Thanks again for your help.

          ![Screen Shot 2014-10-17 at 09.37.36.png](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.37.36.png)
          ![Screen Shot 2014-10-17 at 09.37.36.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-17 at 09.37.36.png_thumb)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            did you enable/disable it again..  What your saying is just not possible to be honest..

            Can you post up your debug rules ones you disable the rule..  So I have a ssh rule that I keep disabled… I have enabled it and this is what is in my /tmp/rules.debug for port 22, I xx out some of my wan IP and isp gateway

            [2.1.5-RELEASE][root@pfsense.local.lan]/root(3): cat /tmp/rules.debug | grep 22
            rdr on vmx3f0 proto tcp from ! $pfBlockerTopSpammers to 24.13.xx.x port 22 -> 192.168.1.7
            block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
            pass in quick on vmx3f1 proto tcp from any to (vmx3f1) port { 80 22 } keep state label "anti-lockout rule"
            pass  in log  quick  on $WAN reply-to ( vmx3f0 24.13.xx.xx ) inet proto tcp  from ! $pfBlockerTopSpammers to 192.168.1.7 port 22 flags S/SA keep state  label "USER_RULE: NAT "

            So I then disabled it, leaving the firewall rule enabled still and then notice my rules.debug grep for 22

            [2.1.5-RELEASE][root@pfsense.local.lan]/root(4): cat /tmp/rules.debug | grep 22
            block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
            pass in quick on vmx3f1 proto tcp from any to (vmx3f1) port { 80 22 } keep state label "anti-lockout rule"
            pass  in log  quick  on $WAN reply-to ( vmx3f0 24.13.xx.xx ) inet proto tcp  from ! $pfBlockerTopSpammers to 192.168.1.7 port 22 flags S/SA keep state  label "USER_RULE: NAT "

            Notice the forward is gone..

            And if I check it from outside - blocked.  So lets take a look at your cat /tmp/rules.debug | grep 22

            ssh.png
            ssh.png_thumb
            disabledssh.png
            disabledssh.png_thumb
            sshblocked.png
            sshblocked.png_thumb</sshlockout></sshlockout>

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • denningsrogueD
              denningsrogue
              last edited by

              So here is what I have done.

              enabled the ssh forward and rule
              hit save
              disabled the rule
              hit save
              reset the states table

              here is the output from cat /tmp/rules.debug | grep 22

              rdr on em0 proto tcp from any to 216.xxx.xxx.xxx port 22 -> $miniserver
              block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
              pass in quick on em1 proto tcp from any to (em1) port { 443 80 22 } keep state label "anti-lockout rule"</sshlockout>

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                so you disabled the port forward or just the firewall rule?

                Because from your rules.debug the port forward is still there, but there is no firewall rule.

                You should not be able to access in that way.. Do you have any firewall rules in your floating?  Something that is maybe allowing all and since you have the forward still it would be allowed?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • denningsrogueD
                  denningsrogue
                  last edited by

                  I disabled the rule but not the forward.

                  1 Reply Last reply Reply Quote 0
                  • denningsrogueD
                    denningsrogue
                    last edited by

                    Here is a screen shot showing all my rules (other than those related to pfblocker)

                    ![Screen Shot 2014-10-17 at 15.02.38.png](/public/imported_attachments/1/Screen Shot 2014-10-17 at 15.02.38.png)
                    ![Screen Shot 2014-10-17 at 15.02.38.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-17 at 15.02.38.png_thumb)

                    1 Reply Last reply Reply Quote 0
                    • denningsrogueD
                      denningsrogue
                      last edited by

                      johnpoz

                      I don't know what you mean by "Do you have any firewall rules in your floating?".

                      1 Reply Last reply Reply Quote 0
                      • denningsrogueD
                        denningsrogue
                        last edited by

                        Well I've tried just about everything I can think of.  I deleted both the forward and the rule.  When I conduct a port scan against the public IP, port 22 still shows as open.  Any suggestions would be welcomed.

                        1 Reply Last reply Reply Quote 0
                        • denningsrogueD
                          denningsrogue
                          last edited by

                          Is there something i can do from the command line?

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            There's another rule somewhere passing that traffic.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              looking in  your floating tab – are there rules there. These are looked at first before any other rules on specific tabs.

                              Post up your rules.debug file.  Seems to me your not even using pfsense to access this IP your sshing too.

                              Sniff on your wan and lan interfaces when you do this access - you actually see this traffic passthru pfsense?  You actually see a state for this connection?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • denningsrogueD
                                denningsrogue
                                last edited by

                                No floating rules. Here's a screen shot of the tab.

                                [Screen Shot 2014-10-18 at 06.36.56.png](/public/imported_attachments/1/Screen Shot 2014-10-18 at 06.36.56.png)

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Yeah that image is not valid.  So show us this traffic going through pfsense with some simple sniffs, and post up your rules.debug..

                                  What does that grep show for 22, as we dig before after you deleted the rules..  There is just no rules showing this should work, so traffic must not be going through pfsense.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • denningsrogueD
                                    denningsrogue
                                    last edited by

                                    Here is the debug file.

                                    rules.debug.txt

                                    1 Reply Last reply Reply Quote 0
                                    • denningsrogueD
                                      denningsrogue
                                      last edited by

                                      I have no idea how the traffic could go any where but through pfSense.  The box has 2 NICS. One connected to the outside world and one to the inside.  There is no other software running on the box – its not a virtual implementation.  I have to take my son to a volleyball tournament right now.  I'll run some sniffs when I get back this afternoon.

                                      Again, thank you so much for all your efforts.  I really appreciate it.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Thought you said you deleted the rule??

                                        NAT Inbound Redirects

                                        rdr on em0 proto tcp from any to 216.xxx.xxx.xxx port 22 -> $miniserver

                                        Well being able to hit ssh, you didn't really hide your IP very well - sorry my curiosity got the better of me.  Pretty easy with a /29 mask

                                        So yup 22 is open, and I see the 311 and 625

                                        PORT    STATE  SERVICE
                                        22/tcp  open  ssh
                                        311/tcp  open  asip-webadmin
                                        625/tcp  open  apple-xsrvr-admin

                                        Again you say you deleted your port forward, but its clearly still there…  That needs to be removed..

                                        Also what does miniserver resolve to in your alias?  I personally not a fan of using them in rules where its a single IP..  But you need to get rid of the port forward rule that is still in there.

                                        So do you have UPnP enabled?

                                        UPnPd rdr anchor

                                        rdr-anchor "miniupnpd"

                                        Could this 10.0.1.20 box be opening up the rule, and since seems your nat is still listed?  I am wondering if your rule is also there just not in debug.

                                        Take a look at actual live rules with

                                        pfctl -sa, this will give us everything.  Send it to me PM, or PM me and will send you my personal email address, so your not posting that public.

                                        edit2:  so you have a /29 -- where are the other publics? being used?

                                        how exactly are you connected to the internet??  This is very strange - doing a traceroute to you

                                        13  ler2-axia-ge.yyc.platinum.ca (69.31.193.254)  81.638 ms  81.520 ms  81.319 ms
                                        14  10.17.3.6 (10.17.3.6)  76.219 ms  83.418 ms  79.970 ms
                                        15  10.17.2.6 (10.17.2.6)  106.304 ms  106.985 ms  96.545 ms

                                        How can there be 10.x addresses in the trace from me to you?? I can say I have never seen such a thing before!!

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • denningsrogueD
                                          denningsrogue
                                          last edited by

                                          When removing the forward and rule didnot work I put them back.

                                          1 Reply Last reply Reply Quote 0
                                          • denningsrogueD
                                            denningsrogue
                                            last edited by

                                            Mini server is 10.0.1.20

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.