OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: aaron1231 on April 05, 2021, 04:49:27 am
-
so I have a fresh install of 21.4. Very basic setup, WAN & LAN only.
default rules on LAN side. Trying to enable a port forward from a jump server to hit the firewall on port 10022 and have it forwarded to a local server on port 22.
I have an incoming WAN icmp rule from the jump server that works fine, however the port forward rule does not. While trying to figure that out ....
I can ssh to the jump server and it will let me stay connected for about 30-60 seconds, and then the firewall decides to block traffic for the same session I just established??
I have IDS enabled, but set only to alert.
I cannot find the 'default rule' that seems to be blocking the session. (Is this a bug - when I click in to the info on the rule and click on the hyperlink to bring up the rule that is blocking it, it opens a window that is immediately closed in chrome & firefox. Bringing it up it looks like https://opnsense/firewall_rule_lookup.php is not returning anything? Is the script broken?)
Apparently I can't upload attachments to this forum either. here's the log file :
https://photos.app.goo.gl/mMsxEaKDM49akHxS6 (https://photos.app.goo.gl/mMsxEaKDM49akHxS6)
I'm seeing a ton of LAN -> Internet traffic that is getting blocked by this default rule for other hosts as well.
-
Show us what your port forward look like. And your firewall rules.
The default deny rule is an automatic floating rule.
-
I'm boggled why the default deny rule would be hit after a successful connection is allowed.
I've added all rules I put in to the gphotos link - https://photos.app.goo.gl/mMsxEaKDM49akHxS6 (https://photos.app.goo.gl/mMsxEaKDM49akHxS6)
-
there is no connection from jump-host to tcp10022 on wan
so OPN allows connection from 10.99 to jump-host ssh, jump host hits tcp22 on wan, time-outs on this, closes connection for 10.99, pf blocks tcp psh-ack from 10.99 to jump-host since the connection is already closed and the state is killed
-
Shouldn't the port forward rule do this?
The rules are not showing it - but if I ssh user@23.126.222.155 -p 10022 from the jump host nothing shows in the logs.....
And why would a failure to connect here cause the initial session to the jump box to be closed? That's not a normal expected behavior. I would expect to see the connection blocked and error out immediately?
-
The rules are not showing it - but if I ssh user@23.126.222.155 -p 10022 from the jump host nothing shows in the logs.....
you need to enable logging for corresponding rule on wan
imho maybe you'd better re-create the port-forward rule allowing logging and associated rule creation (Filter rule association: Add associated filter rule)
And why would a failure to connect here cause the initial session to the jump box to be closed?
it looks like this jump-box is closing the connection as it cannot connect to the target host (tcp22 is closed on wan). jump box should try 10022
-
logging is enabled for the nat rule, nothing is being logged. I will try to recreate.
So the session being closed will happen even if I don't attempt anything.
SSH from inside network -> jump box. Mess around on the box for 40 seconds -> default deny rule hits.
-
logging is enabled for the nat rule, nothing is being logged. I will try to recreate.
imho you're a little confused by creating rules manually:
firewall rules are checked after translation. so you dont need rule for port10022 with "this firewall" destination.
and logging is not enabled for "192.168.10.20" rule on wan
So the session being closed will happen even if I don't attempt anything.
OPN pf default tcp.established timeout is 86400s.
so I keep thinking that the connection is closed by the jump-host itself
-
I enabled logging on the WAN rule - still no entries created.
The connection is not being closed by the jump host. When the default deny rule is being thrown in the logs, the session hangs and it stops any traffic mid-typing. It's not a timeout being hit, the default drop fw rule is suddenly being enforced on the active session after 25-40 seconds of being connected. I'm confused as to how that's being applied when it should allow any from LAN -> WAN
-
now i'm a little confused. can you disable rules on the WAN interface (except for muppets ping), delete and re-create the port-forward rule allowing logging and associated rule creation (Filter rule association: Add associated filter rule) and try to connect from the jump host to port 10022 on wan or make a jumping with port specified?
-
I have two problems and I'm probably causing confusing trying to do both. Let's just work on this one.
I nuked all the rules I made from WAN, LAN, and NAT except for allowing incoming ICMP, since that one works.
I ssh from inside my network to the jump box, and in 21 seconds the default deny rule kicks on and locks up all traffic for the session.
LAN Apr 5 11:46:33 192.168.10.99:56083 108.161.128.28:22 tcp Default deny rule
LAN Apr 5 11:46:33 192.168.10.99:56083 108.161.128.28:22 tcp Default deny rule
WAN Apr 5 11:46:13 108.161.128.28 23.126.222.155 icmp Allow ping from Muppets
WAN Apr 5 11:46:02 192.168.10.99:56083 108.161.128.28:22 tcp let out anything from firewall host itself
I'm having this problem with almost any host in the LAN. Trying to send an email at the moment through gmail that's 2M and it's hanging ... thousands of denys in the logs on the default rule. I change my default route to my old router and it sends right away.
-
got it.
from the firewall's point of view, the client is trying to use a closed connection. that is, the state has already been killed.
server-client inactivity timeouts settings possible.
if after connecting you continue to type something, the connection is not droped?
any clues on jump-server sshd logs?