• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Blocking SSH - Firewall Rule Troubles - SOLVED

Scheduled Pinned Locked Moved Firewalling
59 Posts 6 Posters 17.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    acherman
    last edited by Feb 10, 2015, 9:07 PM Feb 10, 2015, 9:01 PM

    Yup, those rules are active.  No, no 1:1 set up at all.  I do have some inbound stuff set up, but specific ports like 21, 80, 443, etc.  Although I do have a couple that I have all ports forwarded to 3 customer devices, just because I don't know what ports they use - those are the ones noted in the middle of the WAN rules (noted as BCM access).  But those are other IPs.  Dumb question, how can I see what IP's they are trying to get authed on?  My pfflowd packages aren't  working, so I'm not sure how to look.

    1 Reply Last reply Reply Quote 0
    • T
      tha_toadman
      last edited by Feb 10, 2015, 9:08 PM

      For me, I pretty much never put in a source port.  As others have said, they are usually random, so no point.  And also, I put them right at the top - since they are handled from the top down, start with the most specific and go from there.

      Yeah it was towards the end of the day when I put that original rule in. I've since modified it to read as:

      block  IPv4 TCP * * WAN address 22 (SSH) * none

      I've corrected both the Floating and the WAN but I'm still telling you, SSH is open. The default deny isn't working in this case. Once that SSH server is enabled, it's WAN accessible on my box.

      My top 3 rules on the WAN tab (apologies on the formatting):

      block *            Reserved/not assigned by IANA * * *                         *        *   * Block bogon networks
      block *         Private_Networks                      * *      *                         *      none (custom rule)
      block IPv4 TCP *                                         * WAN address 22 (SSH) * none Block SSH remote access

      I don't have any 1:1 going either.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Feb 10, 2015, 9:15 PM

        ok heres another thing - once you create the rules to block.  You have to kill the states.. So for example got in.. You need to kill all the states from my IP, or flush them all.  Or have to wait til they expire.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          acherman
          last edited by Feb 10, 2015, 9:20 PM

          I actually added the rules, and then I turned SSH on and back to 22.  Would that have not allowed the states to begin with?  Or no?

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Feb 10, 2015, 9:22 PM

            no that would not have flushed the states in the firewall.  That just tells the box to listen or not listen.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              acherman
              last edited by Feb 10, 2015, 9:27 PM

              Okay, I just reset all states - that should confuse some people.  I will watch the logs now…

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Feb 10, 2015, 9:34 PM

                so you do understand its not just ssh that is open

                pfsenseopentopublic.png
                pfsenseopentopublic.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Feb 10, 2015, 9:35 PM

                  If you PM a login - I would be happy to take a look to what is going on.

                  And ssh is still open..  If you flushed the states..  You go something major issue here..  Either your rules are not being applied or you have something that in front of it allowing it.

                  pfctl -sa

                  Lets take a look at the rules..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • A
                    acherman
                    last edited by Feb 10, 2015, 9:41 PM

                    PM sent.  Thanks John.

                    Just joking.  Apparently I hit the email button instead.

                    1 Reply Last reply Reply Quote 0
                    • D
                      Derelict LAYER 8 Netgate
                      last edited by Feb 10, 2015, 9:45 PM

                      I don't even know where to start with what's wrong with your rules.  You might want to start over.

                      Of course everything is open.  You are connecting to something on PUBLIC net.  He has pass any any rules for that subnet from WAN1/WAN2.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Feb 10, 2015, 9:46 PM

                        Ok first thing I see is you have that allow any any rule on multiple interfaces..  So wan_shaw has any any to public net, and there is no blocks on that interface.  So when I do a trace to that IP I hit..

                        13    49 ms    49 ms    47 ms  66.163.70.2
                        14    55 ms    52 ms    64 ms  64.141.125.254

                        What what connection is that 66.163.. So you have that allow on all your interfaces?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • A
                          acherman
                          last edited by Feb 10, 2015, 9:51 PM

                          Looks like that 66.163.70.2 is the router on our Shaw WAN - the address that I hit there is 64.141.127.249.

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Feb 10, 2015, 9:52 PM

                            Ok I put in a rule on your shaw wan to block ssh to your .250, 251, 254

                            And I it looks blocked now.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • J
                              johnpoz LAYER 8 Global Moderator
                              last edited by Feb 10, 2015, 9:55 PM

                              Ok I added logging to the rule, and you can see blocked from my attempt to all 3 of them

                              Your going to want to go through these connections and block services to pfsense interfaces.  So for example I was able to remote in.. that should clearly be something you only allow when you want it.. And put in specific rule for ;)

                              blockedinlogs.png
                              blockedinlogs.png_thumb

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • A
                                acherman
                                last edited by Feb 10, 2015, 10:11 PM

                                Okay, so I had rules just like to start with (see first post).  Weird.  So, which address were you able to get in on?

                                1 Reply Last reply Reply Quote 0
                                • J
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by Feb 10, 2015, 10:16 PM Feb 10, 2015, 10:13 PM

                                  I could ssh to all 3 of the ips.  And https is open on all three as well.

                                  Ssh is blocked now.. your going to want to block ports your gui is listening on.. https, I didn't check http.. And any thing else you might have running.. dns for example

                                  C:>dig @64.141.125.254

                                  ; <<>> DiG 9.9.5-W1 <<>> @64.141.125.254
                                  ; (1 server found)
                                  ;; global options: +cmd
                                  ;; Got answer:
                                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12950
                                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

                                  ;; OPT PSEUDOSECTION:
                                  ; EDNS: version: 0, flags:; udp: 4096
                                  ;; QUESTION SECTION:
                                  ;.                              IN      NS

                                  ;; ANSWER SECTION:
                                  .                      87258  IN      NS      b.root-servers.net.
                                  .                      87258  IN      NS      l.root-servers.net.
                                  .                      87258  IN      NS      f.root-servers.net.
                                  .                      87258  IN      NS      i.root-servers.net.
                                  .                      87258  IN      NS      e.root-servers.net.
                                  .                      87258  IN      NS      d.root-servers.net.
                                  .                      87258  IN      NS      a.root-servers.net.
                                  .                      87258  IN      NS      g.root-servers.net.
                                  .                      87258  IN      NS      j.root-servers.net.
                                  .                      87258  IN      NS      h.root-servers.net.
                                  .                      87258  IN      NS      m.root-servers.net.
                                  .                      87258  IN      NS      k.root-servers.net.
                                  .                      87258  IN      NS      c.root-servers.net.

                                  ;; Query time: 110 msec
                                  ;; SERVER: 64.141.125.254#53(64.141.125.254)
                                  ;; WHEN: Tue Feb 10 16:10:40 Central Standard Time 2015
                                  ;; MSG SIZE  rcvd: 239

                                  DUDE!!!! you have a recursive dns listening on the public net!!  That is normally not good!!  Bock that as well!!!

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    acherman
                                    last edited by Feb 10, 2015, 10:14 PM

                                    Damnit!!!  >:(

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by Feb 10, 2015, 10:16 PM

                                      This why you normally don't do a any any rule on your wan ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        acherman
                                        last edited by Feb 10, 2015, 10:20 PM

                                        You lost me with the recursive DNS part.

                                        Also, so, without the any any rule, how would I pass all routed traffic to the the commercial hosts on that net?

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by Feb 10, 2015, 10:25 PM

                                          Recursive – I can ask you for any domain on the planet..

                                          ; <<>> DiG 9.9.5-W1 <<>> @64.141.125.254 www.google.com               
                                          ; (1 server found)                                                     
                                          ;; global options: +cmd                                               
                                          ;; Got answer:                                                         
                                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37163             
                                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 1

                                          ;; OPT PSEUDOSECTION:                                                 
                                          ; EDNS: version: 0, flags:; udp: 4096                                 
                                          ;; QUESTION SECTION:                                                   
                                          ;www.google.com.                        IN      A

                                          ;; ANSWER SECTION:                                                     
                                          www.google.com.        135    IN      A      207.34.103.20         
                                          www.google.com.        135    IN      A      207.34.103.54         
                                          www.google.com.        135    IN      A      207.34.103.29         
                                          www.google.com.        135    IN      A      207.34.103.30         
                                          www.google.com.        135    IN      A      207.34.103.59         
                                          www.google.com.        135    IN      A      207.34.103.39         
                                          www.google.com.        135    IN      A      207.34.103.50         
                                          www.google.com.        135    IN      A      207.34.103.40         
                                          www.google.com.        135    IN      A      207.34.103.35         
                                          www.google.com.        135    IN      A      207.34.103.55         
                                          www.google.com.        135    IN      A      207.34.103.45         
                                          www.google.com.        135    IN      A      207.34.103.34         
                                          www.google.com.        135    IN      A      207.34.103.49         
                                          www.google.com.        135    IN      A      207.34.103.44         
                                          www.google.com.        135    IN      A      207.34.103.24         
                                          www.google.com.        135    IN      A      207.34.103.25

                                          ;; Query time: 69 msec                                                 
                                          ;; SERVER: 64.141.125.254#53(64.141.125.254)                           
                                          ;; WHEN: Tue Feb 10 16:18:15 Central Standard Time 2015               
                                          ;; MSG SIZE  rcvd: 299

                                          You then go look it up for me..  This is can be used for HUGE amplification attacks.. Do you not read the news? ;)

                                          Normally with a transit network, so pfsense interface is not exposed to the any any rule with a downstream router.  My point to the any any, is doing so normally exposes stuff that might not of thought of..  Like your web gui to your firewall, ssh, dns, etc.

                                          If you want to continue to use the any any - then create a specific block rule containing all the stuff you don't want to expose for pfsense interface in that segment, and then make sure its applied on the appropriate interfaces where that traffic comes in.

                                          Or make the any any specific to the IPs the customer is using and not true any any.. so like 64.141.125.1 to 249 for example..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          40 out of 59
                                          • First post
                                            40/59
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received