Blocking everything except ssh



  • Hi there!

    I installed pfSense for VMWare (ESXi 5) and just want to know whats the easiest way to configure 2 VMs for ssh-only connection.

    I made port-forwards to the machines, that works fine, but the maschines should only get connected from outside via ssh and to each other, no other ports.

    any ideas?

    thanks in advice!

    Hape



  • Port forwards to those machines and then set firewall rules to block anything else(wan side that is default)



  • yeah, thats right, but other VMs should get Internet Access, only those 2 machines not…



  • You only want the machines to be accessed from the outside via SSH and only allowing them access to the internet on SSH port?



  • @podilarius:

    You only want the machines to be accessed from the outside via SSH and only allowing them access to the internet on SSH port?

    thats right, yes. Any ideas?


  • LAYER 8 Global Moderator

    Just set a lan rule to only allow those IPs out on ssh, you would have to remove/edit the default lan rule which is allow all to be only the IPs you want to allow all access to.  Or delete it an create specific rules for the different lan IPs you want to all other access for.



  • Since LAN and WAN rules are first matching, in LAN create an allow rule for the specific server for port 22. Then under that create a rule to block all traffic from that server. If you want you can create an alias with the local IPs you want to do this with to use in the rules. This will keep you from having to make 4 rules for 2 server. Then you can keep the default allow rule at the bottom for any other machine you don't want to do this with.
    WAN does not have a default allow rule and thus the default is to drop, so you only need to create a rule to allow only port 22. This I believe you have that working already.


  • LAYER 8 Global Moderator

    ^ correct they are first matching.. So you could prob leave the default allow all rule for lan.  But if your to a point where you want to only allow come machines 22, prob be safer to remove the allow all, or change it to deny all, etc.  And then just set the specific rules you want.



  • Just depends on how comfortable you are with how the rules work and how paranoid you are. With the way you are describing johnpoz, those would be the only servers on the network. If that is the case, then it works well. If you have 100s of servers, not so much, especially if it is only the 2 you have to block for and the rest should be open.
    It is safer to deny all, but generally speaking, you are only doing that to stop virus or malware spread. Once in the network, it can attack other servers there with no concern with your firewall. Another way is to utilize per server firewalls.

    Either way, have fun …


Log in to reply