IP blocked in Rules but still accessing FTP
-
And never in my life would I put a any any rule to the public net. Fine that you to allow any as source, but the destination should be the specific IPs that are running the services you want to allow and the ports should be just those ports. Your combinations of any any and aliases just opens up every single port in the alias to every single server behind pfsense - bad bad bad juju!!!
I pointed this out two pages back. To be told that there are no rules that allow all traffic from anywhere to anywhere. Clearly, the rules are so wonderful and crystal clear that even the OP does not understand them. But we're all crazy of course.
These rules are complete disaster with this type of "transparent" firewall with public LAN IPs. Everyone who puts a mailserver behind this guy's firewall runs a public mailserver all of a sudden. Every box with SSH is wide open. HTTPS. FTP. All public. Proof is in the pudding. Ugh.
-
"Every one of those ports is used by the server behind it."
But you have a dest of ANY that is what the ***** means – that is ALL Your server for every one of those ports!!
And every one of those services uses both udp and tcp?? Again on every single server you have.. In your PM you listed 8 different IPs behind pfsense - so that rule opens all those ports to every single one of those 8 IPs.. Are they different servers or 1 server with multiple IPs I have no idea.
But you don't put a ANY rule like that on your wan... What happens when you bring up new server and now those ports are open on it and you don't want them open, etc.. Or you install a service like say ssh to admin the server from your lan from.. With that rule 22 is open to all your server, even though it sounds like all you want to do is have sftp, but you don't even have a sftp server running..
-
What happens when you bring up new server and now those ports are open on it and you don't want them open
Well, this happens. You go and pay the support to hide your inadvertently public DNS server abused for amplification attacks.
-
Just to reign this in for a moment I would guess that your badguys alias might contain both FQDNs and IPs in which case the IPs may be getting dropped from it courtesy of this:
https://redmine.pfsense.org/issues/4296Go to Diagnostics > Tables and check that the badguys alias actually has those IPs in it.
Steve
-
Hi Stephen. The Badguys alias has only IPs listed, no FQDNs.
There is only one server behind this pfSense installation and it answers to all the public IPs except for one which is routed to another firewall. So yes, the could open port 21 on IP#1 and they could also open port 21 on IP2 but in both cases they end up on the same server and the same port but I'll lock that down by allowing only the port associated with an IP to pass. That seems like a good idea.
I wiped out most of the Badguy blocks in trying to narrow down the list. After all, they should all be blocked by other rules later or reach ports that will do their own blacklisting eventually. I'll add some back in and see if they're still getting past the block.
The Diagnostics>Tables does include the IPs listed in Badguys
-
Is this better? I have three IPs on the mail server that all need the same ports. Mailports are ports 25,587,465,110,53,446,8088,and 8181.
FTPFilezilla port alias are 990, 21, 989
webserport are only ports 80, 443
Employee alias are specific employee WAN IPs. I did change it to point to a specific IP after I grabbed the screen shot so it now routes to a specific IP destination (the source being specific in the alias)
-
…
He's less interested in finding a solution than trying to stir up people's emotions. There are a total of 10 rules in my rule list. Hardly the mess he'd have you believe.I think Doktornotor is most ot the times spot-on with posts and many a time fed up with unknowledgeable wannabee's …
Take out his advice without EMO. ;) -
@hda:
I think Doktornotor is most ot the times spot-on with posts and many a time fed up with unknowledgeable wannabee's …
Take out his advice without EMO. ;)LOL- Maybe that's me! If I knew the answer I wouldn't need to ask, but I wanna know. <g> Like most people I respond better to the carrot than the stick. And anyone who's been online for more than two minutes knows that just because someone tells you they have the answer doesn't mean they have the right answer. Especially when they say things like toss it all out and start over after you've paid professional people to set up what you have. It's best to look for some sort of consensus from people who want to help solve your issue rather than just making you look stupid.</g>
-
…
Especially when they say things like toss it all out and start over after you've paid professional people to set up what you have. It's best to look for some sort of consensus from people who want to help solve your issue rather than just making you look stupid.No. Your Functional & Operational Specifications for a supplier to construct a solution proved (and still seems) inadequate…
-
@hda:
No. Your Functional & Operational Specifications for a supplier to construct a solution proved (and still seems) inadequate…
Perhaps right. He administers hundreds, if not thousands, of servers and knows a heck of a lot more than I do. Perhaps he just didn't care about my little company to put the thought into it. I've made a lot of changes since he set it up a couple of years ago as well. Maybe I'm the one who messed some of it up. It's certainly possible. I'm still learning and hopefully it's getting better as I go.
Isn't that the intent of the forum? To help guys (like me) learn and improve our systems as well as maybe help the guy behind us who knows even less than we do?
-
…
Isn't that the intent of the forum? To help guys (like me) learn and improve our systems as well as maybe help the guy behind us who knows even less than we do?Yes, BUT you are(want-to-be) the customer and you have to be able to judge the result of the supplier w.r.t. YOUR goals.
For me there is not such as "I do not understand the firewall-rules priority of (pfSense (or IPtables)), I have my supplier(s) for that…". -
@hda:
Yes, BUT you are(want-to-be) the customer and you have to be able to judge the result of the supplier w.r.t. YOUR goals.
For me there is not such as "I do not understand the firewall-rules priority of (pfSense (or IPtables)), I have my supplier(s) for that…".That would be true but I can't afford to hire him any longer. Things are really tight for a small business like me. Is that the perfect solution? No. But I have to do the best I can with the resources I have and unfortunately for me, I'm all I can afford.
-
The most recent version has:
Block IPv4 * Badguys * * *
That will block all IPv4 traffic from anything in Badguys. I see you have it set to log. You have it as the first rule on, presumably, WAN.
RIGHT BELOW THAT put an identical rule that passes traffic from Badguys. Also set it to logging. You might want to restrict the destination to the IP and port of the FTP server you claim is still being accessed despite the block rule.
Then CLEAR ALL YOUR STATES.
Then post the output from Diagnostics > Tables Badguys.
Then post the firewall logs of SUBSEQUENT traffic from an IP address in Badguys, into WAN, that's being forwarded to the FTP server.
-
Ok. I've added the pass rule under the block rule and pointed that traffic to the ftp server. I reset the tables. I checked the table for badguys and it still has the IPs to block (you want me to post the list of IPs?). I'll have to wait until they hit the FTP server again but I'm guessing I won't see it any more since port 22 is no longer open on the FTP server nor is port 22 directed to the ftp in the rules/aliases any more.
I don't know why the Filezilla wizard set up port 22 if Filezilla doesn't support that transfer, but at any rate it's been removed from the listening ports list and the firewall alias.
Being late on a Friday I may not check to see what gets logged until Monday.
Thank you for your help.
-
I would figure you'd just add an outside IP to the alias and try it from there.
Sorry. I didn't read this whole convoluted thread. I'm sure it's been covered but 22 is SSH, not FTP.
-
Is this better? I have three IPs on the mail server that all need the same ports. Mailports are ports 25,587,465,110,53,446,8088,and 8181.
FTPFilezilla port alias are 990, 21, 989
webserport are only ports 80, 443Yeah, quite a bit bitter. So, a couple of notes on your earlier post
PHillOffice is a pass for a router located behind pfsense. We had some problems with valid traffic being blocked between pfsense and the router. I don't remember the specifics any more as that's been several years ago now.
This just does not make sense. Other things left aside, if it's behind pfSense, the rules do NOT belong on WAN. Can never get hit there. Rules are applied on interface where the traffic first hits the firewall (inbound). E.g., if traffic comes from LAN, you need rules on LAN to do something about it.
ServerIPs was added by the person hired to set up pfSense the first time. It's an alias which sets a pass for traffic to our public IPs and allows only IPv4 traffic into the network since that's all we're set up for. An Alias lists the IP addresses used.
I don't follow. This allows access to pfSense and anything behind from what ServerIPs for what purpose? Why do these "ServerIPs" need unrestricted access to anywhere? You realize that when those external ServerIPs get compromised, that unrestricted access gives them complete access to pfSense and behind?
Employee is for a handicapped employee who often can only work from home. I installed an internet connection at her house just for company use. We had problems with her not being able to access some items such as phones until we added this rule. _She still has to connect via a VPN (rule later) to get into the router that's located behind pfSense.
It just does not work this way. Normal rules (non-floating) are applied first match, from top to bottom. Anything "later" will get ignored._
-
"I don't know why the Filezilla wizard set up port 22 if Filezilla"
What are saying the wizard did, listen on 22?? Or open up your firewall? filezilla server does nothing on 22..
And yes this looks cleaner to me..
Why do you think mail ports are 53? And 8088, 8181??? 446? And as to 110.. Really you are using unencrypted pop3?
-
-
well I scanned some of the ips he gave me for his mail server, not seeing 53 open on the ips he gave me.. So maybe he has 53 open to his "mailserver" ips but lucky they are not listening on it..
open port 993/tcp
open port 587/tcp
open port 995/tcp
open port 443/tcp
open port 110/tcp
open port 8181/tcp
open port 8088/tcp
open port 465/tcpI would really validate that your not allowing ports that are not really needed, because if you bring up for example dns on that box - its open to the net, etc.
not sure what mail services run on 8088 and 8181 ?? And for being a mail server why is 25 not listening.. Dos this mail server only send?? Not sure how it would except mail for billy@whateverdomain.tld if not listening on 25.. And if only sending - none of those ports need to be open to it??
-
Looks like I could kill port 53. I'll try. It's listed as an imail port in their docs but must be outbound. I will remove it.
Port 8181 and 8088 are used by the anit-spam software and must be opened or it won't work. 446 is not open. 443 is listed for imail's web Mail SSL. It is a mail server with port 25 open in the pfsense and the server is listening in addition to 587. In imail will try to connect on 587 first so if your system supports it, it will use the 587 port. We do use port 110 on outgoing mail, but with TLS. And are trying to move to 995 over time so we can close 110.
On the Employee rule, we'd had problems from the handicapped person's house until we added that rule. She connects via VPN but when we didn't have that rule, her phones wouldn't work. As she's outside, she's hitting pfsense before she gets to the router that handles her VPN connection into the LAN. It's only access is from a single IP to a single router which is also firewalling. It seemed like an acceptable risk versus her not being able to work.
I didn't add the ServerIPs rule. The guy who set it up created that rule. If I remember correctly, it was supposed to limit only IPv4 traffic to pass, but didn't care where it passed to. If it's not limiting traffic to IPv4 traffic, then I'm not sure what it's doing either. The other things are behind a router firewall but pfsense is my main defense. I've posted the rule below. See any reason I can't just delete the rule?
PHillOffice. The only access to the pfsense GUI on a transparent mode system is via the WAN. We didn't want to accidentally lock ourselves out of pfsense and not be able to fix it. There's no LAN address for the gui.
I don't see anything in the logs that looks out of place from over the weekend and I don't see any SSH attempts on the FTP server from over the weekend, just your normal login attempts and valid traffic.
Thank you all for your help.
