Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Vulnerability??? SSH enabled seems to work from the WAN side??????

    General pfSense Questions
    4
    7
    2240
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest last edited by

      This is a new behavior but by chance did an SSH connection to the WAN side of a 1.22 router. I got the menu. Probably not what was intended. This has never been possible before without a bunch of fancy rules. It also means that if someone is unaware they could be vulnerable.

      1 Reply Last reply Reply Quote 0
      • K
        kpa last edited by

        Just tried this myself and pfSense blocked the connection just like it should, pfSense 1.2.2 without any packages. Check your firewall rules.

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          kpa is correct, out of the box, ALL incoming connections are blocked on the WAN, regardless of their destination port.

          If you can reach the ssh port on your pfSense box's WAN side, you either have a rule to allow the traffic, your rules aren't loaded at all, or the filter is disabled.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • ?
            Guest last edited by

            I have installed pfsense dozens of times and generally set it up the same. I will go through and do a fresh install. I am glad that it isn't an issue.

            Thanks

            1 Reply Last reply Reply Quote 0
            • A
              Arjen last edited by

              same problem here, pfsense ssh is open on some VIP's

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Arjen,

                Please provide more details about what you are seeing. Specifically:

                • What type of VIP you are using

                • What interface this VIP is set for

                • A full copy of your rules (From /tmp/debug.rules, or screenshots of the various rules tabs)

                I have never seen any kind of behavior like that, except where it was explicitly allowed.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  Arjen last edited by

                  i dit not allowed anything.
                  but the ssh port (the pfsense ssh) is open on a Carp VIP (with ssh closed in forwarding and rules).

                  i will send you the info asap.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post