IP blocked in Rules but still accessing FTP

Derelict

The most recent version has:

Block IPv4 * Badguys * * *

That will block all IPv4 traffic from anything in Badguys. I see you have it set to log. You have it as the first rule on, presumably, WAN.

RIGHT BELOW THAT put an identical rule that passes traffic from Badguys. Also set it to logging. You might want to restrict the destination to the IP and port of the FTP server you claim is still being accessed despite the block rule.

Then CLEAR ALL YOUR STATES.

Then post the output from Diagnostics > Tables Badguys.

Then post the firewall logs of SUBSEQUENT traffic from an IP address in Badguys, into WAN, that's being forwarded to the FTP server.

cdsJerry

Ok. I've added the pass rule under the block rule and pointed that traffic to the ftp server. I reset the tables. I checked the table for badguys and it still has the IPs to block (you want me to post the list of IPs?). I'll have to wait until they hit the FTP server again but I'm guessing I won't see it any more since port 22 is no longer open on the FTP server nor is port 22 directed to the ftp in the rules/aliases any more.

I don't know why the Filezilla wizard set up port 22 if Filezilla doesn't support that transfer, but at any rate it's been removed from the listening ports list and the firewall alias.

Being late on a Friday I may not check to see what gets logged until Monday.

Thank you for your help.

Derelict

I would figure you'd just add an outside IP to the alias and try it from there.

Sorry. I didn't read this whole convoluted thread. I'm sure it's been covered but 22 is SSH, not FTP.

doktornotor

@cdsJerry:

Is this better? I have three IPs on the mail server that all need the same ports. Mailports are ports 25,587,465,110,53,446,8088,and 8181.
FTPFilezilla port alias are 990, 21, 989
webserport are only ports 80, 443

Yeah, quite a bit bitter. So, a couple of notes on your earlier post

@cdsJerry:

PHillOffice is a pass for a router located behind pfsense. We had some problems with valid traffic being blocked between pfsense and the router. I don't remember the specifics any more as that's been several years ago now.

This just does not make sense. Other things left aside, if it's behind pfSense, the rules do NOT belong on WAN. Can never get hit there. Rules are applied on interface where the traffic first hits the firewall (inbound). E.g., if traffic comes from LAN, you need rules on LAN to do something about it.

@cdsJerry:

ServerIPs was added by the person hired to set up pfSense the first time. It's an alias which sets a pass for traffic to our public IPs and allows only IPv4 traffic into the network since that's all we're set up for. An Alias lists the IP addresses used.

I don't follow. This allows access to pfSense and anything behind from what ServerIPs for what purpose? Why do these "ServerIPs" need unrestricted access to anywhere? You realize that when those external ServerIPs get compromised, that unrestricted access gives them complete access to pfSense and behind?

@cdsJerry:

Employee is for a handicapped employee who often can only work from home. I installed an internet connection at her house just for company use. We had problems with her not being able to access some items such as phones until we added this rule. _She still has to connect via a VPN (rule later) to get into the router that's located behind pfSense.

It just does not work this way. Normal rules (non-floating) are applied first match, from top to bottom. Anything "later" will get ignored._

johnpoz

"I don't know why the Filezilla wizard set up port 22 if Filezilla"

What are saying the wizard did, listen on 22?? Or open up your firewall? filezilla server does nothing on 22..

And yes this looks cleaner to me..

Why do you think mail ports are 53? And 8088, 8181??? 446? And as to 110.. Really you are using unencrypted pop3?

muchcleaner.png_thumb

doktornotor

@johnpoz:

Why do you think mail ports are 53?

Afraid the public DNS is back… ::)

johnpoz

well I scanned some of the ips he gave me for his mail server, not seeing 53 open on the ips he gave me.. So maybe he has 53 open to his "mailserver" ips but lucky they are not listening on it..

open port 993/tcp
open port 587/tcp
open port 995/tcp
open port 443/tcp
open port 110/tcp
open port 8181/tcp
open port 8088/tcp
open port 465/tcp

I would really validate that your not allowing ports that are not really needed, because if you bring up for example dns on that box - its open to the net, etc.

not sure what mail services run on 8088 and 8181 ?? And for being a mail server why is 25 not listening.. Dos this mail server only send?? Not sure how it would except mail for billy@whateverdomain.tld if not listening on 25.. And if only sending - none of those ports need to be open to it??

cdsJerry

Looks like I could kill port 53. I'll try. It's listed as an imail port in their docs but must be outbound. I will remove it.

Port 8181 and 8088 are used by the anit-spam software and must be opened or it won't work. 446 is not open. 443 is listed for imail's web Mail SSL. It is a mail server with port 25 open in the pfsense and the server is listening in addition to 587. In imail will try to connect on 587 first so if your system supports it, it will use the 587 port. We do use port 110 on outgoing mail, but with TLS. And are trying to move to 995 over time so we can close 110.

On the Employee rule, we'd had problems from the handicapped person's house until we added that rule. She connects via VPN but when we didn't have that rule, her phones wouldn't work. As she's outside, she's hitting pfsense before she gets to the router that handles her VPN connection into the LAN. It's only access is from a single IP to a single router which is also firewalling. It seemed like an acceptable risk versus her not being able to work.

I didn't add the ServerIPs rule. The guy who set it up created that rule. If I remember correctly, it was supposed to limit only IPv4 traffic to pass, but didn't care where it passed to. If it's not limiting traffic to IPv4 traffic, then I'm not sure what it's doing either. The other things are behind a router firewall but pfsense is my main defense. I've posted the rule below. See any reason I can't just delete the rule?

PHillOffice. The only access to the pfsense GUI on a transparent mode system is via the WAN. We didn't want to accidentally lock ourselves out of pfsense and not be able to fix it. There's no LAN address for the gui.

I don't see anything in the logs that looks out of place from over the weekend and I don't see any SSH attempts on the FTP server from over the weekend, just your normal login attempts and valid traffic.

Thank you all for your help.

serverips.JPG_thumb

doktornotor

@cdsJerry:

Port 8181 and 8088 are used by the anit-spam software and must be opened or it won't work.

Uhm… What kind of antispam? You normally run your antispam/antivirus on localhost only and the messages are passed to it locally via the mailserver. Why should it be accessible remotely?

@cdsJerry:

446 is not open.

Noone mentioned it here.

@cdsJerry:

It is a mail server with port 25 open in the pfsense and the server is listening in addition to 587.

Hmmm, not per the nmap output above. Renders your mailserver completely useless as far as MX records are concerned. Not really sure how are you receiving any mail from outside.

@cdsJerry:

I didn't add the ServerIPs rule … See any reason I can't just delete the rule?

I certainly cannot see any reason to keep a wide open rule with unknown purpose set up by some third party.

johnpoz

now that I think about it, that scan was from my home box - I believe comcast blocks outbound 25, so that might be why it shows not there. let me run the scan from one of my vpses..

edit: I keep forgetting comcast blocks 25 to outside their network.

From simple test to 25 atleast he is not open relay, but his PTR does not match - so going to get blocked sending email to lots of major players..

while 443 is open – got to love how the cert is selfsigned and quite out of date without even a valid cn. See the big fat F from ssl testing ;) And this is what your using access email with?
Not valid after: 2012-09-21T23:00:00+00:00

And also still offering ssl2 ?

The more I look into this mess, the worse and worse it gets.. Dude you have a HUGE amount of work to do!!!

newscan.png_thumb

failedssl.png_thumb

cdsJerry

I run Cyren's anti spam and it will only work if the ports are open. http://www.imailserver.com/products/imail-server/spam-filtering/

Comcast does block port 25.

We're getting our mail just fine on all our domains.

I've disabled the ServerIP's rule as suggested.

KOM

We're getting our mail just fine on all our domains.

It's not receipt that will be your problem, but sending. As an anti-spam measure, a lot of mail servers will do a reverse lookup on you and if everything doesn't come up clean, your mail to them is rejected.

cdsJerry

@KOM:

We're getting our mail just fine on all our domains.

It's not receipt that will be your problem, but sending. As an anti-spam measure, a lot of mail servers will do a reverse lookup on you and if everything doesn't come up clean, your mail to them is rejected.

Our PTR is accurate. We haven't had much trouble with being labeled as a SPAMMER (we've never spammed anyone) but we do sometimes end up in people's spam boxes. Port 25 is open and listening. I think the reason he didn't see it was that he was testing from a Comcast IP and they do block port 25.

johnpoz

No I tested from one of my vps, the second time - and your ptr is not accurate for all your mail servers

for example .52 has - see attached domain starts with i and ends in h, snipped for your privacy.

But there is not even a forward for that name mail.i<snipped>h.com

same goes for .53

Checked your mx and your only pointing to the 1, but you listed 52 and 53 as mail servers.

when I checked with mxtoolbox it reported this
SMTP Reverse DNS Mismatch Warning - Reverse DNS does not match SMTP Banner

But upon checking the IP that ends in .51 for ptr and looking up the forward for that name and whats in your mx record they match. Its possible your hiding your smtp banner? Checking with another tool I get this

The hostname in the greeting message is

All

I get this when I connect
Escape character is '^]'.
220 All actions are logged. No mail relay takes place from this server.

And looks like your not accepting mail for postmaster@ip which is part of the rfc I pretty sure
The SMTP server does not accept mails to postmaster@[IP_ADDRESS]. This is a very bad thing, as this address is used by people that don't know your domain name! The reported error is: 550 not local host [All], not a gateway

You really should look into your ssl stuff!!

ptr.png_thumb
</snipped>

cdsJerry

@johnpoz:

No I tested from one of my vps, the second time - and your ptr is not accurate for all your mail servers

for example .52 has - see attached domain starts with i and ends in h, snipped for your privacy.

But there is not even a forward for that name mail.i<snipped>h.com

same goes for .53

Checked your mx and your only pointing to the 1, but you listed 52 and 53 as mail servers.</snipped>

You are right on those two examples. They are inbound only. I bought those two domains and receive mail for the users that were on it, but no mail is ever sent from those domains. The mx records forward mail to my main domain's mail server where it's directed to the right contact.

@johnpoz:

But upon checking the IP that ends in .51 for ptr and looking up the forward for that name and whats in your mx record they match. Its possible your hiding your smtp banner?

And looks like your not accepting mail for postmaster@ip which is part of the rfc I pretty sure
The SMTP server does not accept mails to postmaster@[IP_ADDRESS]. This is a very bad thing, as this address is used by people that don't know your domain name! The reported error is: 550 not local host [All], not a gateway

You really should look into your ssl stuff!!

I did a test to postmaster@myipaddy just now and the server processed it. I'd sent the test message from outside. I'll need to look into this. I do see where TestOfDnsqueriesDotCom@dnsqueries.com came in and ran your tests. It got successful responses until it attempted a postmaster@[All] email. but the individual postmaster@myipaddy.com were successful as were the abuse@ tests. The testing IP was blocked soon however because it had reached the maximum number of invalid recipients allowed. After that it failed due to a temporary restriction due to the abuse so no other tests would pass.

doktornotor

This kind of stuff… really.

Take a sheet of paper.
Make a list of all servers, IPs and ports that are supposed to be public or externally accessible (and from where.)
Set up your firewall according to that paper. Nothing else should be allowed. Use the descriptions in aliases/rules to state exactly what is the purpose of that rule/alias IP/alias port. If you use aliases, do not mix unrelated stuff in them.

I would strongly suggest to avoid recycling the current aliases mess for this purpose.

johnpoz

^ exactly!!! And then if you want to block specific "bad" ips via blocker aliases or your own from talking to the stuff you have allowed.. Then feel free to put those blocks above your allows.

doktornotor

BTW, there's Notes package to keep some simple notes available in pfSense GUI, keep track of configuration changes or whatever similar. Nothing fancy but it gets saved in config.xml, so it's kinda self-contained.