SSH Works on LAN but not WAN

Murus
Post Reply
kand
Posts: 2
Joined: Tue Jul 14, 2015 9:19 pm

SSH Works on LAN but not WAN

Post by kand » Wed Jul 15, 2015 12:39 pm

I have SFTP working fine via LAN but if I try to access via external IP I see it gets blocked by Murus/PF. I have SSH set to allow everyone and brute force is on. I see the log and rule entry but it does not make sense to me. This is the entry in the log visualizer rule 36.murus.inbound.120/0(match): block in on en0:. I opened rule browser and line 36 was anchor "murus.inbound" all label "Inbound" when I open that it says on line 120 (which I think is the right thing to look at) block drop in log proto tcp from any to any port 1:1023. on the right side it shows brute force as the group (I think.)

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: SSH Works on LAN but not WAN

Post by hany » Wed Jul 15, 2015 9:41 pm

I open that it says on line 120 (which I think is the right thing to look at)
Yes, right place. If the ruleset didn't change since log was recorded then it's definitely the right place.
block drop in log proto tcp from any to any port 1:1023
This is the port range for Murus service "SYSTEM PORTS", big round yellow icon.
Probably you put this service after SSH service in Murus Inbound Managed Services view.
Port 22 is included in ports range "1:1023", so probably it overrides previous pass rule for SSH.

Please check and let me know. Remember to always display the Expanded PF Configuration view to check rules order and overrides.

P.S.
please consider the possibility to change the SSH WAN port from the default 22 to some random port. You can do that using PF redirection rules, you don't need to change your current sshd settings. sshd should always listen on 22, but you may be safer exposing a non-default port on the WAN side. Brute force protection blocks attempts to access your ssh guessing the password, but does not protect your sshd from other kinds of attack, so sshd on 22 is really something you want to do on a honeypot, not on your Mac :) my 2 cents :D

kand
Posts: 2
Joined: Tue Jul 14, 2015 9:19 pm

Re: SSH Works on LAN but not WAN

Post by kand » Thu Jul 16, 2015 1:46 pm

Thank you for the response and advice. I did end up finding what was blocking the port prior to your post but a couple of things in relation to the issue. The box itself sits behind A Sonicwall (all the protection bells and whistles on the associated interface) in a DMZ on our network. The Sonicwall only passes port 22 to this device from the WAN as it is an SFTP server. Additionally this box is always patched and runs Symantec End Point protection as well as the app firewall (of course PF too.) So I think it is as safe as I can make the box and still provide the service I need to provide.

All that said how do I allow WAN access for SFTP access without allowing everyone to on the System Ports (or should I allow Everyone access to system ports in this scenario). I have not had luck in rearranging the order of rules (is that done in the Rules Browser?) The Anchor that I mentioned (36) only shows Brute Force as the group on the right side of the Rule Browser when I open the rule 36 anchor (group.) I took this as it only applies to those added to the brute force group (which still looks empty even though I have seen it block some connections).

Thanks!

hany
Posts: 481
Joined: Wed Dec 10, 2014 5:20 pm

Re: SSH Works on LAN but not WAN

Post by hany » Fri Jul 17, 2015 10:33 pm

All that said how do I allow WAN access for SFTP access without allowing everyone to on the System Ports (or should I allow Everyone access to system ports in this scenario). I have not had luck in rearranging the order of rules (is that done in the Rules Browser?)
You should not allow access to system ports from everyone, there's no need for it. To rearrange rules order you have to rearrange services order in Managed Inbound Services. You should drag SSH service after SYSTEM PORTS service. Keep the Configuration view open, so you can see the two groups of rules switching their positions.

There is another way to do that, leaving the actual rules order intact. Just add a custom rule (you need Murus Basic or Murus Pro) to allow SSH connection from everyone on WAN interface, like this (assuming en0 is your WAN interface):

Code: Select all

pass in on en0 inet proto tcp from any to (en0) port 22
Custom rules are evaluated at the end of the ruleset so they override rules generated by services icons.

Post Reply