Blocking ALL ssh from WAN
-
How do I block ALL ssh access from the WAN while permitting it from the LAN?
I see similar questions to this crop up in the forums pretty regularly, but I haven't yet seen an answer to this one very specific question.
I have my WAN rules configured to block private & bogon networks, permit UDP 1194 (OpenVPN), TCP 1723 (PPTP) and GRE (again for PPTP). Other than these I have a rule which says to Block TCP to destination "WAN address". The last rule should be redundant as the implicit "block all" rule should kick in.
I thought that the last rule at least would stop ssh polling but I'm still seeing probes in my system logs. sshlockout is running and a secure password has been specified, so the danger is limited, but allowing direct login access to a firewall from its WAN side strikes me as deeply undesirable.
Any suggestions?
-
your rules seems, that you haven't allowed ssh from wan, so it's not open. test your firewall with shields up or similar to prove it yourself.
-
OK, I figured out what's going on here. The problem isn't with pfsense (which is doing the right thing) but with our idiot main firewall, which is passing packets on a particular public network. The pfsense firewall has an address on that network configured on its LAN interface (in preparation for a future life in which it possibly replaces aforesaid idiot).
So the packets are coming in on the second firewall, passing through to the public address on the LAN port (where they're being accepted by the anti-lockout rule), then replying. Not a pfsense issue at all.
Although the anti-lockout rule is stopping me from blocking that traffic on the LAN port… for now I'll just disable that particular public IP.
Thanks for your assistance.