Firewall bug? No longer blocks Ext. SSH

[warhed]

Hello,

I have a location that has been using Untangle since 8.x
They have SSH enabled on the inside so we can tinker around.
SSH is blocked on from the outside and this works fine.
Their rule looks like this:
Source Interface: External
Destination Interface: Internal
Source Port: 22
Destination Port: 22

I recently installed 9.1 x32 on a new system.
I too enabled SSH on the Untangle device.
I created a firewall rule to block SSH from the outside.
SOURCE PORT IS MISSING
Destination port is available.
I cannot for the life of me create the rule that blocks the SSH from the outside, SSH is exposed.


Workaround:
I created a NAT rule to avoid it for now.
Protocol TCP
Port 22
Local IP 0.0.0.0

This works for now.


Am I missing something? All other Untangle I have and my friends are now missing the SOURCE Port option?

[WebFooL]

Hi,

Use the packet filter to control traffic to the Untangel server it self.

And leave Sourceport empty.
Traffic often comes from a random port to a specific destination port.

[warhed]

I altered the rule to be as follows:
Source Address: ANY
Destination Port: 22
BLOCK

Still does not work.

[dmorris]

Firewall does not process traffic to Untangle, only through it.
You need to use packet filter (or just don't enable SSH in the first place).

Yes, we removed source port because we got tired of explaining that if you add "source port = 22" it will never match anything.

[warhed]

Ok, this seems a bit confusing but I am not much of a network guy.

1. Disabled my previous NAT redirect to 0.0.0.0 to try Packet Filtering.
2. Went to: http://wiki.untangle.com/index.php/Packet_Filter and was able to reach my Untangle PF rules.
3. Created Rule:
Name: BLOCK SSH from WAN
Source Address: ANY
Protocol: TCP/UDP
Destination Port: 22

*Still allows SSH from the outside and inside.
*I disabled the System Packet Filter Rules at the bottom that states
"Accept SSH traffic from all interfaces" but that denies from inside and outside.
*Would I need to create a PF rule that states Allow SSH/22 from the inside only?

I guess I am not grasping this at all (obviously). At least I have the workaround for now.

[dmorris]

Change everything back.
Remove all bizarre NAT policy hacks.
Remove firewall rules.
Remove custom packet filter rules.

1) Now, uncheck "Accept SSH traffic from all interfaces."
2) verify that SSH is blocked
3) Add a packet filter rule to allow "protocol = TCP AND destination port = 22 AND source interface = internal"
4) verify that SSH is accessible from the inside and not the outside.

[warhed]

Added the Source Interface to above rule from External and still no luck.

Disabled the "Accept SSH traffic from all interfaces" rule, created two new rules similar to above but deny from External and Allow from Internal Interface, still results in problems.

[dmorris]

Post screenshots of your configuration.

Or just email support and we'll configure it for you.

For the record, I'd recommend you not enable SSH.

[warhed]

I understand the SSH concern, but for me I am tinkering with BandwidthD atm.

Another note. The firewall does not seem to be logging any SSH attempts at all. I have setup other rules (Such as VPN and RDP to be logged) and they work, but SSH is not at all.

[mrunkel]

Connections to and from the untangle itself do not get processed by the UVM.