Blocking SSH - Firewall Rule Troubles - SOLVED

acherman · Feb 10, 2015, 9:07 PM

Yup, those rules are active. No, no 1:1 set up at all. I do have some inbound stuff set up, but specific ports like 21, 80, 443, etc. Although I do have a couple that I have all ports forwarded to 3 customer devices, just because I don't know what ports they use - those are the ones noted in the middle of the WAN rules (noted as BCM access). But those are other IPs. Dumb question, how can I see what IP's they are trying to get authed on? My pfflowd packages aren't working, so I'm not sure how to look.

tha_toadman · Feb 10, 2015, 9:08 PM

For me, I pretty much never put in a source port. As others have said, they are usually random, so no point. And also, I put them right at the top - since they are handled from the top down, start with the most specific and go from there.

Yeah it was towards the end of the day when I put that original rule in. I've since modified it to read as:

block IPv4 TCP * * WAN address 22 (SSH) * none

I've corrected both the Floating and the WAN but I'm still telling you, SSH is open. The default deny isn't working in this case. Once that SSH server is enabled, it's WAN accessible on my box.

My top 3 rules on the WAN tab (apologies on the formatting):

block * Reserved/not assigned by IANA * * * * * * Block bogon networks
block * Private_Networks * * * * none (custom rule)
block IPv4 TCP * * WAN address 22 (SSH) * none Block SSH remote access

I don't have any 1:1 going either.

johnpoz · Feb 10, 2015, 9:15 PM

ok heres another thing - once you create the rules to block. You have to kill the states.. So for example got in.. You need to kill all the states from my IP, or flush them all. Or have to wait til they expire.

acherman · Feb 10, 2015, 9:20 PM

I actually added the rules, and then I turned SSH on and back to 22. Would that have not allowed the states to begin with? Or no?

johnpoz · Feb 10, 2015, 9:22 PM

no that would not have flushed the states in the firewall. That just tells the box to listen or not listen.

acherman · Feb 10, 2015, 9:27 PM

Okay, I just reset all states - that should confuse some people. I will watch the logs now…

johnpoz · Feb 10, 2015, 9:34 PM

so you do understand its not just ssh that is open

johnpoz · Feb 10, 2015, 9:35 PM

If you PM a login - I would be happy to take a look to what is going on.

And ssh is still open.. If you flushed the states.. You go something major issue here.. Either your rules are not being applied or you have something that in front of it allowing it.

pfctl -sa

Lets take a look at the rules..

acherman · Feb 10, 2015, 9:41 PM

PM sent. Thanks John.

Just joking. Apparently I hit the email button instead.

Derelict · Feb 10, 2015, 9:45 PM

I don't even know where to start with what's wrong with your rules. You might want to start over.

Of course everything is open. You are connecting to something on PUBLIC net. He has pass any any rules for that subnet from WAN1/WAN2.

johnpoz · Feb 10, 2015, 9:46 PM

Ok first thing I see is you have that allow any any rule on multiple interfaces.. So wan_shaw has any any to public net, and there is no blocks on that interface. So when I do a trace to that IP I hit..

13 49 ms 49 ms 47 ms 66.163.70.2
14 55 ms 52 ms 64 ms 64.141.125.254

What what connection is that 66.163.. So you have that allow on all your interfaces?

acherman · Feb 10, 2015, 9:51 PM

Looks like that 66.163.70.2 is the router on our Shaw WAN - the address that I hit there is 64.141.127.249.

johnpoz · Feb 10, 2015, 9:52 PM

Ok I put in a rule on your shaw wan to block ssh to your .250, 251, 254

And I it looks blocked now.

johnpoz · Feb 10, 2015, 9:55 PM

Ok I added logging to the rule, and you can see blocked from my attempt to all 3 of them

Your going to want to go through these connections and block services to pfsense interfaces. So for example I was able to remote in.. that should clearly be something you only allow when you want it.. And put in specific rule for ;)

acherman · Feb 10, 2015, 10:11 PM

Okay, so I had rules just like to start with (see first post). Weird. So, which address were you able to get in on?

johnpoz · Feb 10, 2015, 10:16 PM

I could ssh to all 3 of the ips. And https is open on all three as well.

Ssh is blocked now.. your going to want to block ports your gui is listening on.. https, I didn't check http.. And any thing else you might have running.. dns for example

C:>dig @64.141.125.254

; <<>> DiG 9.9.5-W1 <<>> @64.141.125.254
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12950
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 87258 IN NS b.root-servers.net.
. 87258 IN NS l.root-servers.net.
. 87258 IN NS f.root-servers.net.
. 87258 IN NS i.root-servers.net.
. 87258 IN NS e.root-servers.net.
. 87258 IN NS d.root-servers.net.
. 87258 IN NS a.root-servers.net.
. 87258 IN NS g.root-servers.net.
. 87258 IN NS j.root-servers.net.
. 87258 IN NS h.root-servers.net.
. 87258 IN NS m.root-servers.net.
. 87258 IN NS k.root-servers.net.
. 87258 IN NS c.root-servers.net.

;; Query time: 110 msec
;; SERVER: 64.141.125.254#53(64.141.125.254)
;; WHEN: Tue Feb 10 16:10:40 Central Standard Time 2015
;; MSG SIZE rcvd: 239

DUDE!!!! you have a recursive dns listening on the public net!! That is normally not good!! Bock that as well!!!

acherman · Feb 10, 2015, 10:14 PM

Damnit!!! >:(

johnpoz · Feb 10, 2015, 10:16 PM

This why you normally don't do a any any rule on your wan ;)

acherman · Feb 10, 2015, 10:20 PM

You lost me with the recursive DNS part.

Also, so, without the any any rule, how would I pass all routed traffic to the the commercial hosts on that net?

johnpoz · Feb 10, 2015, 10:25 PM

Recursive – I can ask you for any domain on the planet..

; <<>> DiG 9.9.5-W1 <<>> @64.141.125.254 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37163
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 135 IN A 207.34.103.20
www.google.com. 135 IN A 207.34.103.54
www.google.com. 135 IN A 207.34.103.29
www.google.com. 135 IN A 207.34.103.30
www.google.com. 135 IN A 207.34.103.59
www.google.com. 135 IN A 207.34.103.39
www.google.com. 135 IN A 207.34.103.50
www.google.com. 135 IN A 207.34.103.40
www.google.com. 135 IN A 207.34.103.35
www.google.com. 135 IN A 207.34.103.55
www.google.com. 135 IN A 207.34.103.45
www.google.com. 135 IN A 207.34.103.34
www.google.com. 135 IN A 207.34.103.49
www.google.com. 135 IN A 207.34.103.44
www.google.com. 135 IN A 207.34.103.24
www.google.com. 135 IN A 207.34.103.25

;; Query time: 69 msec
;; SERVER: 64.141.125.254#53(64.141.125.254)
;; WHEN: Tue Feb 10 16:18:15 Central Standard Time 2015
;; MSG SIZE rcvd: 299

You then go look it up for me.. This is can be used for HUGE amplification attacks.. Do you not read the news? ;)

Normally with a transit network, so pfsense interface is not exposed to the any any rule with a downstream router. My point to the any any, is doing so normally exposes stuff that might not of thought of.. Like your web gui to your firewall, ssh, dns, etc.

If you want to continue to use the any any - then create a specific block rule containing all the stuff you don't want to expose for pfsense interface in that segment, and then make sure its applied on the appropriate interfaces where that traffic comes in.

Or make the any any specific to the IPs the customer is using and not true any any.. so like 64.141.125.1 to 249 for example..