ssh access

[tdalej]

It seems in the gui the ability to enable ssh access is global and I don't see anything that is interface specific.
Is the WAN interface disabled for ssh access by default?

[Patrick M. Hausen]

The WAN interface blocks all incoming connections by default by firewall rules, so services listening to all interfaces is not a security concern and is generally the recommended way to run e.g. SSH, Unbound, etc.

[dseven]

I don't disagree with Patrick, but [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] is a thing....

[tdalej]

So:
WAN blocked by default
LANS have access by default

I need to block access from some LANs I need to create firewall rules.

[EricPerl]

Only the default LAN interface was given an allow any to any rule (IPv4 and IPv6).
If this is not appropriate, you can curtail this further.
Additional interfaces get no default rules, just the minimal automatically generated rules (up to DHCP).

You don't necessarily need to block anything if you didn't allow more than needed (and if you did, you can be more granular).

[tdalej]

I don't disagree with Patrick, but [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] is a thing....

That only appears to allow a single interface or all.  All is the default.

[franco]

No, it's a multi-select but it has other limitations so we still recommend the default deselct all which truly means all ;)

[Patrick M. Hausen]

No, it's a multi-select but it has other limitations so we still recommend the default deselct all which truly means all ;)

The important thing to consider is that none selected == "All (recommended)" is not equivalent to selecting all of the interfaces explicitly!

Not selecting any leads to a bind() system call to INADDR_ANY aka 0.0.0.0 for IPv4. This address is stable even in the case that interfaces come and go.

If you listen to all interfaces explicitly, e.g. 192.168.1.1, 192.168.2.1, ... and you pull the cable from LAN, then 192.168.1.1 vanishes and the open socket of the service is closed. Now you plug the cable back in, the IP address comes back online, but whichever service we consider here will not automatically reactivate listening on 192.168.1.1, because the socket API does not provide an easy to use automatic mechanism for that.

Historical problem, but also probably not going to ever be fixed, because stable APIs ...

So best listen to 0.0.0.0. That's the reason for the "recommended" in the UI.

[franco]

What Patrick said plus the bit about "::" any address equivalent in IPv6 which also holds true.


Cheers,
Franco

[serebryak]

So, as I understand (and checked) the global settings doesnt work as may be mentioned.
If you set [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] to all - this will not enable access to SSH via WAN ip...!?
And there is no any docs describing how to enable it.
I tried to enable NAT port forwarding but its not clear - to which ip (WAN? LAN? This firewall?) enable forward. But success if pf disabled )
And additionally there is should be some Firewall rule to enable access to SSH port?
I think that's very common issue to enable access to router from external network (taking in mind some security issues).
Please somebody help to solve this config issue!

p.s. Im trying to "switch" from pfsense(have about 5 years uptime) to opnsense and now having some "misunderstanding" of approaches in UI and configuration.

[EricPerl]

You just need a FW rule (in on WAN for the port specified in settings).
Listening on all interfaces is recommended only because access is controlled by FW rules.

Enabling a VPN server on OPN is an alternative for remote access.
At least Wireguard can't be "probed" the same way ssh can be...
If you enable SSH on IPv4 WAN, be prepared for brute force attacks, even if you change the port.