I am trying to block SSH coming in, but would like to use sftp on a linux server to push files to one of our clients. I have the below config right now:
allow TCP any any to the destination IP any port
deny port 23
deny port 22
Any help is appreciated,
Hi Wally, inbound connections are blocked by default unless the session was initiated by a client behind the MX. The SFTP you mentioned, can you explain the flow from the client to the server? Is that server external?
The server is internal, and the client initiates the sftp connection to the remote host, the remote host accepts the packets. It should be that simple.
If I remove the Layer7 block ssh rule it works, but then my servers get pounded with attempted logins lol
Sounds like its internal to internal via different VLANs. You could create an Allow rule to allow a specific host or specific host subnet access on those ports to the SFTP server via a FW Rule:
And then another rule below it to block all other SFTP traffic to that particular server.
Sorry about the confusion. Our server is pushing the sftp out to a client server not on our network. The thing is it works when the layer 7 block port 22 is off.
Makes sense, if that is the only client you want to allow access then you can create an Allow firewall rule specific to that client -> SFTP server. Then deny 22 from any other clients to the SFTP.
thats how I would like to do it, but I cant seem to find where I can create allow rules, only deny. I know I'm missing something simple, but cant find where it is.
Those are the outbound rules, and I have them set:
The inbound ssh seems to be blocking it. If I turn off this rule it works fine.
I have set up a nat and port rules trying to get through it, but I cant seem to poke any holes in the inbound rules
Sorry for the confusion I was not aware this was an external to internal flow. The Firewall rules dictate outbound communication while inbound is blocked by default unless part of an inside->outside session. To specify inbound access you would need to create a port-forwarding or 1:1 NAT rule and then open then specify the connections you want to access.
The port 22 and 23 rules you have in the L7 view above are blocking all 22/23 OUTBOUND. Here is a document that describes the inbound rules and how FW traffic flows:
Blocking Inbound Traffic:
Port Forwarding and NAT Rules:
You do realise that SFTP runs over (or though SSH)? An SSH session is first established, and then FTP is run through that SSH session.
So you must allow SSH if you want to allow SFTP.
The layer 7 rules you have are really layer 3 rules. You could configure them all in the layer 3 firewall.
Do you have a port forward configured for port 22? You can configure the list of allowed hosts there.