Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking SSH - Firewall Rule Troubles - SOLVED

    Scheduled Pinned Locked Moved Firewalling
    59 Posts 6 Posters 17.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      acherman
      last edited by

      Yah, I understand how the default "implicit block" rule works.  My floating tab is empty.  Here are screenshots of my WAN1 and WAN2 rules.

      1 Reply Last reply Reply Quote 0
      • A
        acherman
        last edited by

        Also, with my understanding of the default block rule, I feel like I shouldn't even need the top couple of rules since I don't allow SSH (or HTTPS) anywhere (except the very last rule to the Public interface), but I tried adding them anyway, with no change.

        Also, for reference, the Public subnet routed via BGP is the 64.141.x.x subnet.  It looks like most of the SSH attempts come into the Public interface IP (real) of the CARP failover box (based on flow data), although they show up in the System logs of the Master.

        1 Reply Last reply Reply Quote 0
        • A
          acherman
          last edited by

          Well, it seemed like the best approach (or the only one that worked) was to change the port number SSH is on.  I really have no idea why the traffic was being allowed through, based either on the default block or even the rules I manually added.  I suppose this will do for now.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You sure firewall is on??
            Sorry but something is clearly F'd up and you need to fix it, if you have 1 port that is getting through, how do you know you don't have all the others?  There should be no reason to create those rules, and clearly they are not working anyway.

            What is your openvpn tab show..  There was something that openvpn was exposing something to real world..

            what does
            pfctl -sr

            show for your rules..

            edit:  Ok one thing that could be the problem is you have a any any rule for public net..  So what exact address are they hitting?  For what possible reason would you have such a rule?  Any any on your WAN??

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              acherman
              last edited by

              I'm glad someone agrees that something isn't right here.  Thanks. I only have one rule in my OpenVPN tab - allow local net to any.

              For the allow any any rule for the Public net, I assumed for the subnet that is routed to us via BGP that I would need to allow that net through the WAN interfaces.  I have ~600 residential WiSP customer NATed behind 1-10, and about 180 commercial customers directly on that network (20 and up).

              1 Reply Last reply Reply Quote 0
              • T
                tha_toadman
                last edited by

                I'm baffled with this situation as well and certainly agree that something isn't right. I too would like to block inbound ssh requests from the WAN (while leaving LAN connectivity enabled) and nothing I'm trying is working properly. When I scan my port 22 and the server is off, it obviously won't respond. When I enable the ssh server and scan, it responds without any rules defined (as expected). So then I decided to attempt a rule to allow LAN access but block all WAN requests. I clicked on my WAN tab and my 3rd entry was entered as follows:

                block IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none

                I enabled the server again, with the rule in place, and I was still seeing that the port was open from the WAN. I googled around and figured I might try a floating reject rule as well. I left the previous entry in the WAN rules but added the same as above to my Floating rules. I put this in as the 1st entry. I saved the config, bounced the SSH server (checkbox from System > Advanced), scanned again and sure enough it was still seeing port 22 as open.

                I should also point out that I do have OpenVPN enabled as well. I'm at a loss as to what I could try next.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Here is the thing.. By default pfsense blocks all inbound traffic to wan..  So unless you create a rule to allow it - its going to be blocked..  Do you have firewall off?

                  He clearly has a rule that is any any to "public net"  My my guess that is what is being hit for him.

                  I have ssh enabled on my lan, I hit it every day to be honest..  But from public its denied.. I see hits to it all the time, see previous pic..  If its not being blocked you got something wrong in your rules..  Please post your floating rules and wan rules..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • BBcan177B
                    BBcan177 Moderator
                    last edited by

                    An interesting article by Fireeye about recent SSH brute force attacks. Almost makes you want to open ssh on the WAN  ;D

                    https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html

                    "Experience is something you don't get until just after you need it."

                    Website: http://pfBlockerNG.com
                    Twitter: @BBcan177  #pfBlockerNG
                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      If you want to have fun with ssh, run a honeypot and see the IPs from china light you up like a xmas tree ;)

                      To be honest anyone that would run a ssh server that allows passwords is asking for trouble, whenever I bring up something that has ssh enabled - first thing I do is enable public key and turn off password auth.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        block IPv4 TCP/UDP  *  22 (SSH)  WAN address  22 (SSH)  *  none

                        Don't use a source port.  Source ports are random.  That rule will never match.

                        Those block ssh rules do nothing because you never pass ssh below them.

                        What do PUBLIC address and PUBLIC net expand to?  You are probably passing the TCP/22 traffic with that last pass any to PUBLIC net rule.

                        This would be a lot easier to diagnose without all the obfuscation of IP addresses.

                        ![Screen Shot 2015-02-09 at 9.09.23 PM.png](/public/imported_attachments/1/Screen Shot 2015-02-09 at 9.09.23 PM.png)
                        ![Screen Shot 2015-02-09 at 9.09.23 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-02-09 at 9.09.23 PM.png_thumb)

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A
                          acherman
                          last edited by

                          So, I did mention it in the original post, but the "Public" net is the one that is advertised by us via BGP.  Consider it a DMZ of hosts - 64.141.y.x.  To permit routing to those hosts via the two WAN interfaces, do I not need to implicitly allow traffic to them, to avoid the default block rule???

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Yes.

                            Please post all applicable interfaces, subnets, and rules.  Trying to help you with everything obfuscated is nearly impossible.  PM if you must. They're just IP addresses.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              You would need to allow the services you want to run on those IP.. that sure and the hell wouldn't be a any any ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • A
                                acherman
                                last edited by

                                So if I am serving Internet to multiple commercial/industrial customers on that network, shouldn't I be passing everything to them and letting them control their own firewalling?  I will take new screenshots of all rules and post them in a minute…

                                1 Reply Last reply Reply Quote 0
                                • A
                                  acherman
                                  last edited by

                                  Okay, soooo….

                                  Shaw WAN (WAN1) - 64.141.127.248/29
                                  Telus WAN (WAN2) - 204.191.241.0/29
                                  Public (~DMZ) - 64.141.125.0/24 - advertised on both WANs via BGP

                                  Shaw WAN Rules:

                                  Telus WAN Rules:

                                  Pubic Interface Rules:

                                  All of these are for VoIP devices - companies host POTS lines here and we connect them to VoIP adapters and transport to their remote facilities via our microwave network.

                                  Also, there are no rules in the floating tab.

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    acherman
                                    last edited by

                                    @johnpoz:

                                    To be honest anyone that would run a ssh server that allows passwords is asking for trouble, whenever I bring up something that has ssh enabled - first thing I do is enable public key and turn off password auth.

                                    I'm all for more security.  What do you mean?  Do you use a hardware credential?  On these two systems I am the only one that ever uses SSH for access (but limited access).

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      public key auth - look it up.  Takes 2 seconds to implement.

                                      So your routing traffic to this segment behind pfsense.  So pfsense has an IP in this network, and it listens on ssh because you enable ssh.  So block ssh to that interface IP.

                                      So this segment
                                      Public (~DMZ) - 64.141.125.0/24

                                      Pfsense is what 64.141.125.1 ??  Block traffic to pfsense IP from the public internet - I agree your customers need to do their own firewall if not using your services for that.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        acherman
                                        last edited by

                                        That's what I had done originally - I had rules to block SSH to the interface's real IP and the CARP IP.  I will add them again right now.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          And you mention you see stuff in the logs for attempted auth.. And what IP are they authing too?

                                          If that is the IP I can validate if ssh is open to the public.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            tha_toadman
                                            last edited by

                                            That's what I had done originally…

                                            I did the same. My rules don't seem to work after I enable the SSH server via the checkbox.

                                            Floating:
                                            block    IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none

                                            WAN:
                                            block    IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.