Disabling Port Forward
-
When I set up my pfSense device 2 years ago, I forwarded port 22 to my ssh server. All has been working flawlessly since then. I now want to disable the port forward. I disabled (I did not remove) the forward and the associated rule, but port 22 still shows as open and I can still SSH into the server. What am I missing?
-
did you clear the state?
-
Yes. Twice.
-
ssh into the server from where?? The internet? Post up your wan firewall rules and your port forwards. Did you actually hit APPLY after you edited the rule and set it to disabled? Enable it and then disable it again and this time make sure you hit apply on the port forward page.
What pfsense are you using btw?
So I have a port forward to my dvr..
See it shows open.
I then disable the rule, and it now is closed - did not have to do anything with the firewall - just disabled the port forward rule.
-
First, thanks for taking the time to consider my issue.
I am using pfSense 2.1.5 and ssh'ing through the internet from my downtown office.
When I ssh, I get the password prompt and can log in. The reason I want to close the port is that I am being barraged by brute force attacks on my gateway. Those are continuing.
Thanks again.
I'll post the rules and port forwards in follow up posts.
-
Here is the port forward page showing the forward disabled.
 -
Here is the port forward entry.
 -
Here are the rules.
 -
Here is the specific rule.
Thanks again for your help.
 -
did you enable/disable it again.. What your saying is just not possible to be honest..
Can you post up your debug rules ones you disable the rule.. So I have a ssh rule that I keep disabled… I have enabled it and this is what is in my /tmp/rules.debug for port 22, I xx out some of my wan IP and isp gateway
[2.1.5-RELEASE][root@pfsense.local.lan]/root(3): cat /tmp/rules.debug | grep 22
rdr on vmx3f0 proto tcp from ! $pfBlockerTopSpammers to 24.13.xx.x port 22 -> 192.168.1.7
block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
pass in quick on vmx3f1 proto tcp from any to (vmx3f1) port { 80 22 } keep state label "anti-lockout rule"
pass in log quick on $WAN reply-to ( vmx3f0 24.13.xx.xx ) inet proto tcp from ! $pfBlockerTopSpammers to 192.168.1.7 port 22 flags S/SA keep state label "USER_RULE: NAT "So I then disabled it, leaving the firewall rule enabled still and then notice my rules.debug grep for 22
[2.1.5-RELEASE][root@pfsense.local.lan]/root(4): cat /tmp/rules.debug | grep 22
block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
pass in quick on vmx3f1 proto tcp from any to (vmx3f1) port { 80 22 } keep state label "anti-lockout rule"
pass in log quick on $WAN reply-to ( vmx3f0 24.13.xx.xx ) inet proto tcp from ! $pfBlockerTopSpammers to 192.168.1.7 port 22 flags S/SA keep state label "USER_RULE: NAT "Notice the forward is gone..
And if I check it from outside - blocked. So lets take a look at your cat /tmp/rules.debug | grep 22
</sshlockout></sshlockout>
-
So here is what I have done.
enabled the ssh forward and rule
hit save
disabled the rule
hit save
reset the states tablehere is the output from cat /tmp/rules.debug | grep 22
rdr on em0 proto tcp from any to 216.xxx.xxx.xxx port 22 -> $miniserver
block in log quick proto tcp from <sshlockout>to (self) port 22 label "sshlockout"
pass in quick on em1 proto tcp from any to (em1) port { 443 80 22 } keep state label "anti-lockout rule"</sshlockout> -
so you disabled the port forward or just the firewall rule?
Because from your rules.debug the port forward is still there, but there is no firewall rule.
You should not be able to access in that way.. Do you have any firewall rules in your floating? Something that is maybe allowing all and since you have the forward still it would be allowed?
-
I disabled the rule but not the forward.
-
Here is a screen shot showing all my rules (other than those related to pfblocker)
 -
johnpoz
I don't know what you mean by "Do you have any firewall rules in your floating?".
-
Well I've tried just about everything I can think of. I deleted both the forward and the rule. When I conduct a port scan against the public IP, port 22 still shows as open. Any suggestions would be welcomed.
-
Is there something i can do from the command line?
-
There's another rule somewhere passing that traffic.
-
looking in your floating tab – are there rules there. These are looked at first before any other rules on specific tabs.
Post up your rules.debug file. Seems to me your not even using pfsense to access this IP your sshing too.
Sniff on your wan and lan interfaces when you do this access - you actually see this traffic passthru pfsense? You actually see a state for this connection?
-
No floating rules. Here's a screen shot of the tab.
[Screen Shot 2014-10-18 at 06.36.56.png](/public/imported_attachments/1/Screen Shot 2014-10-18 at 06.36.56.png)
