Re: [pfSense Support] question on blocks SSH connections
On 12/08/10 23:51, RB wrote: > Pretty much any port you allow out (or even SSL websites) raw will > have this problem and you'll never reach 100% closure. You can > approximate 100% with application proxies that monitor for and cut off > abberrant behavior, but they'll never be perfect. indeed, bypassing corporate firewalls to allow ssh is a popular game, see the ssh via https trick which is now pretty much full automated in putty! http://dag.wieers.com/howto/ssh-http-tunneling/ this is a classic problem of trying to solve a policy/training situation using a partial technology hack, chances are you'll annoy legitimate users more than you'll prevent the dodgy practises. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:51 PM, RB wrote: > On Thu, Aug 12, 2010 at 16:29, Cinaed Simson wrote: >> Hi - suppose the office LAN has one open outbound port - say IMAP on >> port 143. >> >> I go home and configure my Linux desktop to run a SSH server on port 143. >> >> Now I return to the office and attempt to connect to my machine at home >> via port 143. >> >> Can pfsense be configured to stop the outbound SSH connection on port 143? > > It's just a war of escalation. You can do layer-7 filtering to pick > off basic abuses like this, but what if someone's really determined > and writes an IMAP-based transport for their shell? The standard IMAP > port supports switching to an encrypted mode post-connection. My > personal favorite was the shell that used a custom SMTP transport > layer - that one was nasty. Don't forget IP-over-DNS either. :) > > Pretty much any port you allow out (or even SSL websites) raw will > have this problem and you'll never reach 100% closure. You can > approximate 100% with application proxies that monitor for and cut off > abberrant behavior, but they'll never be perfect. Thanks for the comments. I agree and we do have a Squid proxy but we use SSH internally on all the machines. And we trained everyone to use SSH to access the office from home. We're replacing SSH with Oracle's Secure Global Desktop using HTTPS. fwsnort appears to have a solution but it only runs under iptables on Linux - I was hopping to avoid iptables. > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > -- "We are drowning in information and starving for knowledge." - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 8:13 PM, Cinaed Simson wrote: > On 08/12/2010 03:44 PM, Tim Dickson wrote: >>> I don't know the IP addresses of the SSH servers on the Internet. >> >> Then only allow to the SSH servers you know/want? You can go either way... >> block all and allow only certain IPs >> Or allow all, and block certain IPs >> On 2.0 you can block by OS type too... >> > I need to block all outbound SSH client connections to the Internet on > all open outbound ports without interfering with the normal function of > the those ports. > Then you either need to start working with the L7 bits in 2.0 (offhand not sure what kind of shape that's in at the moment) for protocol detection, or force all outbound traffic to go through a proxy server that enforces protocols. There is nothing in 1.2.x that can differentiate between IMAP on 143 and SSH on 143. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] question on blocks SSH connections
Then you need a deny rule on your LAN interface that says 'DENY SOURCE LANNET DEST PORT 22'. > -Original Message- > From: Cinaed Simson [mailto:cinaed.sim...@gmail.com] > Sent: Thursday, August 12, 2010 5:14 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] question on blocks SSH connections > > On 08/12/2010 03:44 PM, Tim Dickson wrote: > >> I don't know the IP addresses of the SSH servers on the Internet. > > > > Then only allow to the SSH servers you know/want? You can go either > > way... block all and allow only certain IPs Or allow all, and block > > certain IPs On 2.0 you can block by OS type too... > > > I need to block all outbound SSH client connections to the Internet on all > open > outbound ports without interfering with the normal function of the those > ports. > > > -- Cinaed > > -- > > "We are drowning in information and starving for knowledge." > >- Rutherford D. Roger > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional > commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > >
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:44 PM, Tim Dickson wrote: >> I don't know the IP addresses of the SSH servers on the Internet. > > Then only allow to the SSH servers you know/want? You can go either way... > block all and allow only certain IPs > Or allow all, and block certain IPs > On 2.0 you can block by OS type too... > I need to block all outbound SSH client connections to the Internet on all open outbound ports without interfering with the normal function of the those ports. -- Cinaed -- "We are drowning in information and starving for knowledge." - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 16:29, Cinaed Simson wrote: > Hi - suppose the office LAN has one open outbound port - say IMAP on > port 143. > > I go home and configure my Linux desktop to run a SSH server on port 143. > > Now I return to the office and attempt to connect to my machine at home > via port 143. > > Can pfsense be configured to stop the outbound SSH connection on port 143? It's just a war of escalation. You can do layer-7 filtering to pick off basic abuses like this, but what if someone's really determined and writes an IMAP-based transport for their shell? The standard IMAP port supports switching to an encrypted mode post-connection. My personal favorite was the shell that used a custom SMTP transport layer - that one was nasty. Don't forget IP-over-DNS either. :) Pretty much any port you allow out (or even SSL websites) raw will have this problem and you'll never reach 100% closure. You can approximate 100% with application proxies that monitor for and cut off abberrant behavior, but they'll never be perfect. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 4:44 PM, Tim Dickson wrote: > Then only allow to the SSH servers you know/want? You can go either way... > block all and allow only certain IPs > Or allow all, and block certain IPs A whitelist will work if he knows the IPs that he wants to allow. Otherwise, how does pfsense know whether you're connecting to an imap server on port 143 or an ssh server on port 143? > On 2.0 you can block by OS type too... Source OS, but not destination. You could perhaps filter the ssh server as a source OS if you override the rule to allow established states, but does pfsense allow that? Not in the web UI for sure. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] question on blocks SSH connections
>I don't know the IP addresses of the SSH servers on the Internet. Then only allow to the SSH servers you know/want? You can go either way... block all and allow only certain IPs Or allow all, and block certain IPs On 2.0 you can block by OS type too...
Re: [pfSense Support] question on blocks SSH connections
On 08/12/2010 03:35 PM, David Burgess wrote: > On Thu, Aug 12, 2010 at 4:29 PM, Cinaed Simson > wrote: >> Hi - suppose the office LAN has one open outbound port - say IMAP on >> port 143. >> >> I go home and configure my Linux desktop to run a SSH server on port 143. >> >> Now I return to the office and attempt to connect to my machine at home >> via port 143. >> >> Can pfsense be configured to stop the outbound SSH connection on port 143? > > Just to clarify, pfsense is the office edge firewall and it's only > allowing outbound connections to port 143? And you want to continue to > allow those outbound connections, but not to some ssh server on the > internet that is listening on that port? Correct. > This is easy enough if you know the IP address or block of that ssh > server. Otherwise, you might have to be a little more clever about it. I don't know the IP addresses of the SSH servers on the Internet. -- Cinaed -- "We are drowning in information and starving for knowledge." - Rutherford D. Roger - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] question on blocks SSH connections
On Thu, Aug 12, 2010 at 4:29 PM, Cinaed Simson wrote: > Hi - suppose the office LAN has one open outbound port - say IMAP on > port 143. > > I go home and configure my Linux desktop to run a SSH server on port 143. > > Now I return to the office and attempt to connect to my machine at home > via port 143. > > Can pfsense be configured to stop the outbound SSH connection on port 143? Just to clarify, pfsense is the office edge firewall and it's only allowing outbound connections to port 143? And you want to continue to allow those outbound connections, but not to some ssh server on the internet that is listening on that port? This is easy enough if you know the IP address or block of that ssh server. Otherwise, you might have to be a little more clever about it. db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org