Disabling Port Forward
-
No floating rules. Here's a screen shot of the tab.
[Screen Shot 2014-10-18 at 06.36.56.png](/public/imported_attachments/1/Screen Shot 2014-10-18 at 06.36.56.png)
-
Yeah that image is not valid. So show us this traffic going through pfsense with some simple sniffs, and post up your rules.debug..
What does that grep show for 22, as we dig before after you deleted the rules.. There is just no rules showing this should work, so traffic must not be going through pfsense.
-
Here is the debug file.
-
I have no idea how the traffic could go any where but through pfSense. The box has 2 NICS. One connected to the outside world and one to the inside. There is no other software running on the box – its not a virtual implementation. I have to take my son to a volleyball tournament right now. I'll run some sniffs when I get back this afternoon.
Again, thank you so much for all your efforts. I really appreciate it.
-
Thought you said you deleted the rule??
NAT Inbound Redirects
rdr on em0 proto tcp from any to 216.xxx.xxx.xxx port 22 -> $miniserver
Well being able to hit ssh, you didn't really hide your IP very well - sorry my curiosity got the better of me. Pretty easy with a /29 mask
So yup 22 is open, and I see the 311 and 625
PORT STATE SERVICE
22/tcp open ssh
311/tcp open asip-webadmin
625/tcp open apple-xsrvr-adminAgain you say you deleted your port forward, but its clearly still there… That needs to be removed..
Also what does miniserver resolve to in your alias? I personally not a fan of using them in rules where its a single IP.. But you need to get rid of the port forward rule that is still in there.
So do you have UPnP enabled?
UPnPd rdr anchor
rdr-anchor "miniupnpd"
Could this 10.0.1.20 box be opening up the rule, and since seems your nat is still listed? I am wondering if your rule is also there just not in debug.
Take a look at actual live rules with
pfctl -sa, this will give us everything. Send it to me PM, or PM me and will send you my personal email address, so your not posting that public.
edit2: so you have a /29 -- where are the other publics? being used?
how exactly are you connected to the internet?? This is very strange - doing a traceroute to you
13 ler2-axia-ge.yyc.platinum.ca (69.31.193.254) 81.638 ms 81.520 ms 81.319 ms
14 10.17.3.6 (10.17.3.6) 76.219 ms 83.418 ms 79.970 ms
15 10.17.2.6 (10.17.2.6) 106.304 ms 106.985 ms 96.545 msHow can there be 10.x addresses in the trace from me to you?? I can say I have never seen such a thing before!!
-
When removing the forward and rule didnot work I put them back.
-
Mini server is 10.0.1.20
-
"When removing the forward and rule didnot work I put them back. "
what does pfctl -sa show for when you remove them!!
-
how exactly are you connected to the internet?? This is very strange - doing a traceroute to you
13 ler2-axia-ge.yyc.platinum.ca (69.31.193.254) 81.638 ms 81.520 ms 81.319 ms
14 10.17.3.6 (10.17.3.6) 76.219 ms 83.418 ms 79.970 ms
15 10.17.2.6 (10.17.2.6) 106.304 ms 106.985 ms 96.545 msHow can there be 10.x addresses in the trace from me to you??
Some routers in the path there with private IP addressing. Generally ISPs don't do that for a variety of reasons, but there are some (largely outside the US, where IP space is more scarce) who have no choice. Some use CGNAT reserved IP space for that as well, and some do questionable things like Shaw Canada uses US DoD-assigned 7.0.0.0/8 IP space internally (DoD doesn't announce 7./8 on the Internet so that's OK…for now at least).
That's less than ideal, but not in and of itself indicative of any kind of problem.
-
With the great help of johnpoz I finally got port 22 closed. I had to delete my ssh forward and rule and then reboot. Thanks again John.
