IP blocked in Rules but still accessing FTP

johnpoz · May 8, 2015, 2:15 PM

As dok has stated, remove that mess. And then we have a limited set of rules to deal with. If you send me the IP of this server that is getting login attempts to I can test that myself. If you log all the rules then I can give you the IP I am coming from and validate what rule is letting it in.

If you let the world into your serves port 80 (http) to the world - then there would be no reason for a specific all rule. Its possible your mess of blocks was blocking cloudflare, your using aliases that you don't even know the full listing of ips with?

As stated already it is much cleaner to just whitelist what you want to allow access into.

"It's an alias of the ports used by the various servers"

What specific ports are those - since its a any rule for dest IP, if a port is in there you could hit server 2 even if you only want someone to hit server 1 with the rule, etc. Then you have the other any any rule that is completely censored and have no idea what is the dest or ports, etc..

Clear out all those pfblocker rules, now you have smaller set of rules to work with - log them all, and then do a test from out side to this server your seeing logins with and we can see which rule is letting it in. Again if you pm me this IP I would be happy to test it for you and let you now what IP I am coming from so you can filter your logs for it and validate the problem in the rules that is letting that in.

2chemlud · May 8, 2015, 3:34 PM

First part was funny, but then things went out of control. As usually lately in this forum.

@Dok and @John, in which part of the civilized world is this the way to communicate with peers asking for help with a problem significant to them?

I have a suspicion, but in my opinion even kids in worst case countries are hardly treated worse the grown-ups in this forum.

A little more respect and a little more cultivated style of discussion would be extremely helpful.

Kind regards

chemlud

johnpoz · May 8, 2015, 3:39 PM

This is the internet - who said anything about the civilized world? ;)

And I have been nothing but straight forward and blunt.. I have offered help and advice. But can not help those that wouldn't give info and blacks out info that could be useful in figuring out his mess.

cdsJerry · May 8, 2015, 4:39 PM

Thank you 2chemlud. A person certainly needs a fire suit before posting. As John said, who said, This is the Internet. I've been online since 1976 and have seen things come and go but the ability to hurt people from behind the keyboard has never been used so much as the past 10-15 years. The Internet is a two edged sword. Both sides cut.

I've sent John a PM to accept his kind offer.

johnpoz · May 8, 2015, 7:08 PM

So did a quick scan of the Ip cdsJerry sent me - see attached lots of PORTS open.. That was just a quick scan of the top 1000..

I could hit his ftp server via tls.. And I get start of connection from ssh.. But not a real prompt or anything.. Still looking into that - but clearly 22 open along with other ports.

I would really suggest you lock this down.. if its suppose to be a ftp server than the only port allowed to it should be ftp..

edit: Ok I figured out the port 22 thing.. Why are you running ftp on port 22? That is not a good idea.. And you also have it on 21 and ftps, etc. etc.

almabes · May 8, 2015, 7:12 PM

I'd highly suggest rewriting the rules in their entirety. What you have is not easily maintainable.

I suspect its a floating rule somewhere that's biting you.
I'm not big on floaters, but I suspect they have their place.
If you're not up for dumping the rule set, and rebuilding it from scratch, have you tried rewriting that budguys rule to be a floater and place it at the top of the list?

johnpoz · May 8, 2015, 7:41 PM

Per you pm - your rules should not be open like that. If you have server that is ftp then the rule should be to that IP to ftp. If the same server is running ssh, then sure that could be in the same rule or even a different rule.

But when you create a any any sort of rule with ports you now open up all your server on all the ports you put in your alias - that public for example. Exposing services that machine might be running that you don't want open.

And for the life of me I can not figure out what your doing on 22, that is not sftp - that is ftp over port 22. Who in using that?? They are different protocols..

cdsJerry · May 8, 2015, 7:51 PM

On Filezilla's wiki…. "Most normal FTP servers use port 21, SFTP servers use port 22 and FTP over SSL/TLS (implicit mode) use port 990 by default." That's why the port is mapped to that service.

When you run the setup wizard from Filezilla, it automatically sets port 22 as an SFTP port and starts to listen on that port.

cdsJerry · May 8, 2015, 8:02 PM

@johnpoz:

But when you create a any any sort of rule with ports you now open up all your server on all the ports you put in your alias - that public for example. Exposing services that machine might be running that you don't want open.

And for the life of me I can not figure out what your doing on 22, that is not sftp - that is ftp over port 22. Who in using that?? They are different protocols..

All the ports on your scan are in use by that physical machine for the services running on it. None of those ports could be closed from the public without causing problems with the programs listening on those ports.

The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?

doktornotor · May 8, 2015, 8:07 PM

@cdsJerry:

The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?

Round and around and around and around we go… Ridiculous. As you can see, no outsider can get a clue from the mess you are doing on your firewall. Why on earth are you asking other people such questions? Absolutely noone hjere on this thread can make any sense from what you are doing there. And absolutely everyone told you that you have unmaintainable incomprehensible mess there.

Still no lesson learnt?

:( >:( >:(

hda · May 8, 2015, 8:08 PM

@cdsJerry:

…
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?

Because already granted ? The "badguys" are not-top-of-the list ?

doktornotor · May 8, 2015, 8:09 PM

@hda:

@cdsJerry:

…
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?

Because already granted ? The "badguys" are not-top-of-the list ?

This guy is a waste of time. That is what I suggested on page 1 of this thread. Together with 3 other suggestions and literally everyone here suggesting the OP to sanitize the mess, all this advice falls on totally deaf ears.

cdsJerry · May 8, 2015, 8:21 PM

@hda:

@cdsJerry:

…
The question however is how can a specific machine that is listed in a block rule get past that block to access the ports passed by a rule further down the list?

Because already granted ? The "badguys" are not-top-of-the list ?

I don't think that's it as there was only one rule above it and that was to pass a specific IP. I HAVE changed that and made the badguys rule the #1 rule. I know dok prefers to just keep throwing insults and call me names but changes have been made through this entire process. He's less interested in finding a solution than trying to stir up people's emotions. There are a total of 10 rules in my rule list. Hardly the mess he'd have you believe.

doktornotor · May 8, 2015, 8:39 PM

johnpoz · May 8, 2015, 8:43 PM

filezilla does does not have sftp server.. Yes sftp runs on 22, and filezilla can be a client to sftp server.. But it is not sftp server….

https://wiki.filezilla-project.org/FileZilla_FTP_Server
Support for SFTP (SSH File Transfer Protocol) is not implemented in Filezilla Server.

As to how something gets past your block to something that shouldn't even be listening in the first place?? Im with dok this is just gone round and round..

I would be happy to figure out where you problem is - but as stated your current setup is a mess and pointless. There is a default block rule.. if anyone gets anywhere its because one of your allow rules allows it. Which one in the mess you have is the question.

Firewall rules are really simple - list out what services you need the public to get to, and create the specific allow rules for those and nothing more than those.. List each service you have with what IP it listens on. Then create the rules. You have a mess there that is very difficult to follow. And never in my life would I put a any any rule to the public net. Fine that you to allow any as source, but the destination should be the specific IPs that are running the services you want to allow and the ports should be just those ports. Your combinations of any any and aliases just opens up every single port in the alias to every single server behind pfsense - bad bad bad juju!!!

cdsJerry · May 8, 2015, 8:53 PM

The rule called PublicPorts only allows those ports in the PublicPorts alias to pass. Every one of those ports is used by the server behind it. I can (and will) break it down more to tie it to the IP, but it's still the same physical machine so there is a service intentionally listening on that port on that machine.

doktornotor · May 8, 2015, 8:56 PM

@johnpoz:

And never in my life would I put a any any rule to the public net. Fine that you to allow any as source, but the destination should be the specific IPs that are running the services you want to allow and the ports should be just those ports. Your combinations of any any and aliases just opens up every single port in the alias to every single server behind pfsense - bad bad bad juju!!!

I pointed this out two pages back. To be told that there are no rules that allow all traffic from anywhere to anywhere. Clearly, the rules are so wonderful and crystal clear that even the OP does not understand them. But we're all crazy of course.

These rules are complete disaster with this type of "transparent" firewall with public LAN IPs. Everyone who puts a mailserver behind this guy's firewall runs a public mailserver all of a sudden. Every box with SSH is wide open. HTTPS. FTP. All public. Proof is in the pudding. Ugh.

johnpoz · May 8, 2015, 9:03 PM

"Every one of those ports is used by the server behind it."

But you have a dest of ANY that is what the ***** means – that is ALL Your server for every one of those ports!!

And every one of those services uses both udp and tcp?? Again on every single server you have.. In your PM you listed 8 different IPs behind pfsense - so that rule opens all those ports to every single one of those 8 IPs.. Are they different servers or 1 server with multiple IPs I have no idea.

But you don't put a ANY rule like that on your wan... What happens when you bring up new server and now those ports are open on it and you don't want them open, etc.. Or you install a service like say ssh to admin the server from your lan from.. With that rule 22 is open to all your server, even though it sounds like all you want to do is have sftp, but you don't even have a sftp server running..

doktornotor · May 8, 2015, 9:07 PM

@johnpoz:

What happens when you bring up new server and now those ports are open on it and you don't want them open

Well, this happens. You go and pay the support to hide your inadvertently public DNS server abused for amplification attacks.

stephenw10 · May 8, 2015, 9:11 PM

Just to reign this in for a moment I would guess that your badguys alias might contain both FQDNs and IPs in which case the IPs may be getting dropped from it courtesy of this:
https://redmine.pfsense.org/issues/4296

Go to Diagnostics > Tables and check that the badguys alias actually has those IPs in it.

Steve