Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding while blocking direct access

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timr
      last edited by

      Hi everybody,

      I'm trying to mask the IPs of my servers behind the pfSense firewall.  Seems like a good way to do that is port forwarding.

      Both the firewall and the 2 servers behind it have internet-accessible IPs, so right now, I can SSH directly to my web server behind the firewall.  I want to port forward a random port (say, 1111) on the firewall to port 22 on the web server, and block direct SSH to the web server's IP.

      I set up port forwarding and created the default firewall rule, and it works great.  I can SSH to port 1111 of the firewall and get to my web server.

      However, I can also still directly SSH to the web server, which I want to block.  The firewall rule created by port forwarding is what's allowing the direct SSH access (* for source and port, with my web server's IP and 22 for port) – if I disable that rule, then I can't directly SSH, but port forwarding also breaks.

      How can I expose SSH to my web server only via port forwarding?  Is it possible at all?

      Thanks!
      Tim

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That is a bit of a tricky situation - for NAT to allow the service in, you need to set the firewall rule to allow traffic to the target system's real port, which is 22. Because that IP is routed, and not really NAT, it still exposes the 'real' service.

        Hiding ports in this way only works if NAT is done for the whole IP - not routable, not 1:1.

        In your case you'd have to change the sshd config to listen on 1111 if that's what you really want.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.