Port forwarding while blocking direct access
I'm trying to mask the IPs of my servers behind the pfSense firewall. Seems like a good way to do that is port forwarding.
Both the firewall and the 2 servers behind it have internet-accessible IPs, so right now, I can SSH directly to my web server behind the firewall. I want to port forward a random port (say, 1111) on the firewall to port 22 on the web server, and block direct SSH to the web server's IP.
I set up port forwarding and created the default firewall rule, and it works great. I can SSH to port 1111 of the firewall and get to my web server.
However, I can also still directly SSH to the web server, which I want to block. The firewall rule created by port forwarding is what's allowing the direct SSH access (* for source and port, with my web server's IP and 22 for port) – if I disable that rule, then I can't directly SSH, but port forwarding also breaks.
How can I expose SSH to my web server only via port forwarding? Is it possible at all?
That is a bit of a tricky situation - for NAT to allow the service in, you need to set the firewall rule to allow traffic to the target system's real port, which is 22. Because that IP is routed, and not really NAT, it still exposes the 'real' service.
Hiding ports in this way only works if NAT is done for the whole IP - not routable, not 1:1.
In your case you'd have to change the sshd config to listen on 1111 if that's what you really want.