Block SCP but allow SSH
-
Hi Team,
I have a private network and I am able to SSH and SCP from this Private network to My corporate network. Dude to security issues, I want to Block the scp function alone from my private network to corporate network. Can you please help me to add the correct block rule for this scenario?Below is the NAT rule for SSH, respective WAN rule also created automatically for this NAT rule.
Thanks,
Linu -
@linu
SCP is based on SSH. Blocking it separatly cannot be done by packet filter at all.You have to do this on the destination device if it's even possible.
-
@viragomann Can we achieve this by blocking FTP traffic?
-
@linu said in Block SCP but allow SSH:
@viragomann Can we achieve this by blocking FTP traffic?
No, FTP uses a different port.
You cannot do this on pfSense with filter rules. Possibly it is doable with the HAproxy package.
The PF filter works based on protocol, source and destionation IPs and ports. But SCP uses port 22 likewise as SSH. So there is no possibility to distinguish the connection type for the packet filter.