Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking SSH - Firewall Rule Troubles - SOLVED

    Scheduled Pinned Locked Moved Firewalling
    59 Posts 6 Posters 17.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      acherman
      last edited by

      Okay, soooo….

      Shaw WAN (WAN1) - 64.141.127.248/29
      Telus WAN (WAN2) - 204.191.241.0/29
      Public (~DMZ) - 64.141.125.0/24 - advertised on both WANs via BGP

      Shaw WAN Rules:

      Telus WAN Rules:

      Pubic Interface Rules:

      All of these are for VoIP devices - companies host POTS lines here and we connect them to VoIP adapters and transport to their remote facilities via our microwave network.

      Also, there are no rules in the floating tab.

      1 Reply Last reply Reply Quote 0
      • A
        acherman
        last edited by

        @johnpoz:

        To be honest anyone that would run a ssh server that allows passwords is asking for trouble, whenever I bring up something that has ssh enabled - first thing I do is enable public key and turn off password auth.

        I'm all for more security.  What do you mean?  Do you use a hardware credential?  On these two systems I am the only one that ever uses SSH for access (but limited access).

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          public key auth - look it up.  Takes 2 seconds to implement.

          So your routing traffic to this segment behind pfsense.  So pfsense has an IP in this network, and it listens on ssh because you enable ssh.  So block ssh to that interface IP.

          So this segment
          Public (~DMZ) - 64.141.125.0/24

          Pfsense is what 64.141.125.1 ??  Block traffic to pfsense IP from the public internet - I agree your customers need to do their own firewall if not using your services for that.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • A
            acherman
            last edited by

            That's what I had done originally - I had rules to block SSH to the interface's real IP and the CARP IP.  I will add them again right now.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              And you mention you see stuff in the logs for attempted auth.. And what IP are they authing too?

              If that is the IP I can validate if ssh is open to the public.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • T
                tha_toadman
                last edited by

                That's what I had done originally…

                I did the same. My rules don't seem to work after I enable the SSH server via the checkbox.

                Floating:
                block    IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none

                WAN:
                block    IPv4 TCP/UDP * 22 (SSH) WAN address 22 (SSH) * none

                1 Reply Last reply Reply Quote 0
                • A
                  acherman
                  last edited by

                  I just added the rules again and changed the port back to default 22.  You can try to SSH to 64.141.125.250, .251 or .254 (CARP).

                  1 Reply Last reply Reply Quote 0
                  • T
                    tha_toadman
                    last edited by

                    I just added the rules again and changed the port back to default 22.  You can try to SSH to 64.141.125.250, .251 or .254 (CARP).

                    They are all open. Sounds like your rules aren't working either.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Source is not going to be 22  source could be ANY, and ssh is not UDP..

                      And yes that is open!! on the 250, 251 and 254

                      login as:

                      Password for admin@router1.morad:

                      251 shows
                      steve.morad

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        tha_toadman
                        last edited by

                        Ah, yep. Good point. I'll make the change and try again.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          dude you should not have to put in any rules.. There is a default DENY!!  Are you allowing traffic in like the OP?

                          if your going to block it has to be above your allow rule - post your rules.

                          If you have an allow for that segment, then above it put in a block to those specific addresses.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • A
                            acherman
                            last edited by

                            For me, I pretty much never put in a source port.  As others have said, they are usually random, so no point.  And also, I put them right at the top - since they are handled from the top down, start with the most specific and go from there.

                            1 Reply Last reply Reply Quote 0
                            • A
                              acherman
                              last edited by

                              My DMZ, or Public routed interface rules look like this now…

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                so anherman - are you rules in place to block it then?  Cuz they are still open.  2 all 3 IPs.

                                So you have a 1:1 nat setup or something?  Or your just routing the traffic?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • A
                                  acherman
                                  last edited by

                                  Yup, those rules are active.  No, no 1:1 set up at all.  I do have some inbound stuff set up, but specific ports like 21, 80, 443, etc.  Although I do have a couple that I have all ports forwarded to 3 customer devices, just because I don't know what ports they use - those are the ones noted in the middle of the WAN rules (noted as BCM access).  But those are other IPs.  Dumb question, how can I see what IP's they are trying to get authed on?  My pfflowd packages aren't  working, so I'm not sure how to look.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tha_toadman
                                    last edited by

                                    For me, I pretty much never put in a source port.  As others have said, they are usually random, so no point.  And also, I put them right at the top - since they are handled from the top down, start with the most specific and go from there.

                                    Yeah it was towards the end of the day when I put that original rule in. I've since modified it to read as:

                                    block  IPv4 TCP * * WAN address 22 (SSH) * none

                                    I've corrected both the Floating and the WAN but I'm still telling you, SSH is open. The default deny isn't working in this case. Once that SSH server is enabled, it's WAN accessible on my box.

                                    My top 3 rules on the WAN tab (apologies on the formatting):

                                    block *            Reserved/not assigned by IANA * * *                         *        *   * Block bogon networks
                                    block *         Private_Networks                      * *      *                         *      none (custom rule)
                                    block IPv4 TCP *                                         * WAN address 22 (SSH) * none Block SSH remote access

                                    I don't have any 1:1 going either.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      ok heres another thing - once you create the rules to block.  You have to kill the states.. So for example got in.. You need to kill all the states from my IP, or flush them all.  Or have to wait til they expire.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        acherman
                                        last edited by

                                        I actually added the rules, and then I turned SSH on and back to 22.  Would that have not allowed the states to begin with?  Or no?

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          no that would not have flushed the states in the firewall.  That just tells the box to listen or not listen.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • A
                                            acherman
                                            last edited by

                                            Okay, I just reset all states - that should confuse some people.  I will watch the logs now…

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.