Security problem after unstable NAT



  • Hi

    I have encountered a bug which introduced a security problem.
    pfsense access over WAN is disabled. Below you can find my NAT and firewall settings.
    Pfsense reboots every morning. Now what happens is that 50% of the time I get the SSH of pfsense instead of box 10.0.0.107!
    So the pFsense is then open to the world wide web! If he did this at boot, all other NAS port forwards fail too.
    Now to "solve" it, I just need to open Firewall > NAT, and then ALL of them work!
    10.0.0.107 is online 24h/7h.



  • That's allowed because you have a bunch of unnecessary rules. For SSH in particular, "SSH to Nova" rule with destination "any" is wrong. The one with the 10.x IP destination is correct.



  • Hi

    I removed the wildcards and I changed the shutdown script to a shutdown -p now and now all ports are blocked again some days (not all days).
    The days they are blocked, it shows in the Firewall log? So they are blocked because the destination is my WAN address?
    What extra rule do I need?


  • Rebel Alliance Global Moderator

    why do you have 2 threads running about the same thing?
    https://forum.pfsense.org/index.php?topic=113567.0



  • Because they were two different problems: one being the NAT forwarding not always working and the other one the NAT ports ending on pfsense itself instead of the other server (security).


  • Rebel Alliance Global Moderator

    huh they sure seem like the same thing to me..  I your nat rules are not working then those firewall rules would never work because the traffic wouldn't match your rule.  The nat is what allows the firewall rule to allow the traffic in.



  • Ok, you're right. I will keep them in one topic for future problems. I don't think I can merge them myself.
    Any idea how I can solve the NAT problem?