Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking everything except ssh

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hape66
      last edited by

      Hi there!

      I installed pfSense for VMWare (ESXi 5) and just want to know whats the easiest way to configure 2 VMs for ssh-only connection.

      I made port-forwards to the machines, that works fine, but the maschines should only get connected from outside via ssh and to each other, no other ports.

      any ideas?

      thanks in advice!

      Hape

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        Port forwards to those machines and then set firewall rules to block anything else(wan side that is default)

        1 Reply Last reply Reply Quote 0
        • H
          hape66
          last edited by

          yeah, thats right, but other VMs should get Internet Access, only those 2 machines not…

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            You only want the machines to be accessed from the outside via SSH and only allowing them access to the internet on SSH port?

            1 Reply Last reply Reply Quote 0
            • H
              hape66
              last edited by

              @podilarius:

              You only want the machines to be accessed from the outside via SSH and only allowing them access to the internet on SSH port?

              thats right, yes. Any ideas?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Just set a lan rule to only allow those IPs out on ssh, you would have to remove/edit the default lan rule which is allow all to be only the IPs you want to allow all access to.  Or delete it an create specific rules for the different lan IPs you want to all other access for.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  podilarius
                  last edited by

                  Since LAN and WAN rules are first matching, in LAN create an allow rule for the specific server for port 22. Then under that create a rule to block all traffic from that server. If you want you can create an alias with the local IPs you want to do this with to use in the rules. This will keep you from having to make 4 rules for 2 server. Then you can keep the default allow rule at the bottom for any other machine you don't want to do this with.
                  WAN does not have a default allow rule and thus the default is to drop, so you only need to create a rule to allow only port 22. This I believe you have that working already.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    ^ correct they are first matching.. So you could prob leave the default allow all rule for lan.  But if your to a point where you want to only allow come machines 22, prob be safer to remove the allow all, or change it to deny all, etc.  And then just set the specific rules you want.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius
                      last edited by

                      Just depends on how comfortable you are with how the rules work and how paranoid you are. With the way you are describing johnpoz, those would be the only servers on the network. If that is the case, then it works well. If you have 100s of servers, not so much, especially if it is only the 2 you have to block for and the rest should be open.
                      It is safer to deny all, but generally speaking, you are only doing that to stop virus or malware spread. Once in the network, it can attack other servers there with no concern with your firewall. Another way is to utilize per server firewalls.

                      Either way, have fun …

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.