Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27
  1. #11
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,322

    Default

    Quote Originally Posted by Jim.Alles View Post
    I would NOT simply enable the "Allow SSH" rule, it opens the port on the WAN, as well.
    I've always been puzzled why the stock Allow SSH rule opens the port on every interface. At a bare minimum, it should be restricted to Any Non-WAN. If someone really wants to open SSH to the WAN, they should have to write their own rule.

  2. #12
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,196

    Default

    Quote Originally Posted by johnsonx42 View Post
    I've always been puzzled why the stock Allow SSH rule opens the port on every interface. At a bare minimum, it should be restricted to Any Non-WAN. If someone really wants to open SSH to the WAN, they should have to write their own rule.
    What are you talking about?! By default ssh is closed on all interfaces.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Quote Originally Posted by jcoffin View Post
    What are you talking about?! By default ssh is closed on all interfaces.
    The default rule to enable SSH is wide open, the rule is certainly disabled by default but the rule itself really should be modified with a source interface: non-wan flag at least.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by jcoffin View Post
    What are you talking about?! By default ssh is closed on all interfaces.
    He is talking about the structure of the only rule provided.

    He didn't say that the stock/default configuration had that rule enabled.

    Obviously, I tend to agree with him. I would rather see it structured like all of the other, similar rules:
    "Allow HTTPS on non-WANs"

  5. #15
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by sky-knight View Post
    The default rule to enable SSH is wide open, the rule is certainly disabled by default but the rule itself really should be modified with a source interface: non-wan flag at least.
    It feels like an accident waiting to happen (to somebody).

    And the best-practice recommendation could be:
    To use OpenVPN into the NGFW LAN environment to use the SSH connection
    Last edited by Jim.Alles; 06-16-2020 at 01:05 PM.
    If you think I got Grumpy

  6. #16
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,196

    Default

    Quote Originally Posted by Jim.Alles View Post
    Obviously, I tend to agree with him. I would rather see it structured like all of the other, similar rules:
    "Allow HTTPS on non-WANs"
    Since we don't support command line changes we are discourage it. You can create your own rule to enable ssh anyway you feel fit.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #17
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,251

    Default

    Given that stance, I'd suggest simply removing the stock rule entirely.
    Jim.Alles and sperman like this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #18
    Untangle Ninja
    Join Date
    Jan 2011
    Posts
    1,322

    Default

    Quote Originally Posted by sky-knight View Post
    Given that stance, I'd suggest simply removing the stock rule entirely.
    exactly - if Untangle doesn't want to encourage enabling SSH, get rid of the stock rule altogether. don't give us a stock rule that's objectively BAD, and shouldn't be used at all

    that said, there are tons of good reasons to allow SSH, so having a GOOD allow SSH rule that's disabled by default would be the preferred choice.
    Last edited by johnsonx42; 06-16-2020 at 02:13 PM.
    Jim.Alles likes this.

  9. #19
    Untangler
    Join Date
    Dec 2017
    Posts
    91

    Default

    Sorry thought I was asking a simple question. Didn’t mean it to turn into a huge thing.

  10. #20
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by flynhawaiian View Post
    Sorry thought I was asking a simple question. Didn’t mean it to turn into a huge thing.
    No worries - we aren't mad at each other!

    There are just somethings that have been that way for a really long time, and I am guessing there was much internal debate at one time.

    It is good we had the discussion so people are aware of the risk exposure on that one!

    flynhawaiian likes this.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2