Firewall NAT strage behave

djay

Happy new year all. I am experiencing something strange with rules/NAT and hoping to get some help with it. I have an ssh gateway sitting behind a pfsense box. The ssh gateway is running on a custom port. The idea is to be able to ssh onto this box from the outside world then use that to ssh into the "inside world"

firewall rule is
[IPv4/TCP] [any] [any] [ssh_server] [ssh_port] [any] [none] [desc]

NAT says
[GATEWAY] [TCP] [any] [any] [Gateway_address] [ssh_port] [ssh_server] [ssh_port] [desc].

Please see attached screen shoot for more info.

Testing this from the outside, and I mean the outside world, a colocation server in the middle of who knows where and I seem to get refused several times, sometimes upto 20 times before I am finally allowed to proceed with a normal connection.

Though the ssh box is running fail2ban with iptables, I know its the pfsense box rejecting the connection. I see the connection getting dropping in the pfsense logs.
Lets ignore fail2ban and iptables for now.
Interesting bit is this use to work fine until I upgraded the pfsense box. I am not quite sure at what version this started playing up but I am currently on v 2.3.2 release-p1

Is it something to do with my rulesets?
Any help will be great. Thanks all

johnpoz

Those are suppose to show us what exactly? Those care completely useless to be honest.. Do you really think hiding the rfc1918 address protects you from something?  Or the port your running on, which would assume would be 22.. But if something else.. What does it matter if I had your IP I could just scan you to find it if I wanted, etc.

What what I can see unless you removed it from the pic is that your nat is not linked to a firewall rule..  What interface is firewall rule on??  Why is it not linked to your port forward?

Here is the thing, if you had rule that was blocking you then it always be blocked!!!  Your saying you keep trying and then you get in??  That would be one really shitty firewall wouldn't it!!!

Your problem is else where, rules work or they don't work - they don't "sometimes" block..

Are the blocks your seeing on the firewall log out of state traffic?  More than happy to help you but you have given zero to work with here.. What rule is blocking it when you say you see it blocked in the logs?  Are you running any other packages, ips? pfblocker?

djay

Easy now John. Calm down Mr moody. It's a new year. I appreciate your help and guess what, you fixed my issue.

The reason I posted on here is because I find the behavior strange too.

Its to do with pfblocker. Disable it and everything works. Am not quite sure what it is with pfblocker that is causing the issue but will look at it.

The whole idea of posting here is to get people like you point people like me in the right direction which you did.

thanks for your help.

johnpoz

Mr moody?  Maybe someone should stop trying to read tone into forum posts ;)  Especially when they are clearly bad at it… hehehe

I can assure you I am in great spirits and in a great "mood".. But thanks for asking..

Glad you got your issue sorted..  Seems like pfblocker is pretty shitty at what it does as well, it only "sometimes" blocks?  Unless your source IP was changing from 1 that was blocked to one that was allowed in your 20 times trying to connect..

JKnott

The ssh gateway is running on a custom port. The idea is to be able to ssh onto this box from the outside world then use that to ssh into the "inside world"

I do the opposite.  I forward SSH to my main computer and then go from there.  Also, I have that computer configured to require a public/private key pair, so that there's no password to attack.  On my network, pfSense is only accessible from the local network, not the Internet.