Meraki

WallyP · ‎Apr 27 2018

I am trying to block SSH coming in, but would like to use sftp on a linux server to push files to one of our clients. I have the below config right now:

Layer 3
allow TCP any any to the destination IP any port

Layer 7

deny port 23

deny port 22

Any help is appreciated,

Wally

Korey · ‎Apr 27 2018

Hi Wally, inbound connections are blocked by default unless the session was initiated by a client behind the MX. The SFTP you mentioned, can you explain the flow from the client to the server? Is that server external?

WallyP · ‎Apr 27 2018

The server is internal, and the client initiates the sftp connection to the remote host, the remote host accepts the packets. It should be that simple.

If I remove the Layer7 block ssh rule it works, but then my servers get pounded with attempted logins lol

Korey · ‎Apr 27 2018

Sounds like its internal to internal via different VLANs. You could create an Allow rule to allow a specific host or specific host subnet access on those ports to the SFTP server via a FW Rule:

Example:

And then another rule below it to block all other SFTP traffic to that particular server.

WallyP · ‎Apr 27 2018

Sorry about the confusion. Our server is pushing the sftp out to a client server not on our network. The thing is it works when the layer 7 block port 22 is off.

Korey · ‎Apr 27 2018

Makes sense, if that is the only client you want to allow access then you can create an Allow firewall rule specific to that client -> SFTP server. Then deny 22 from any other clients to the SFTP.

WallyP · ‎Apr 27 2018

thats how I would like to do it, but I cant seem to find where I can create allow rules, only deny. I know I'm missing something simple, but cant find where it is.

Korey · ‎Apr 27 2018

The firewall rules have a policy section which is togglable between Deny and Allow:

WallyP · ‎Apr 27 2018

Those are the outbound rules, and I have them set:

The inbound ssh seems to be blocking it. If I turn off this rule it works fine.

I have set up a nat and port rules trying to get through it, but I cant seem to poke any holes in the inbound rules

Korey · ‎Apr 27 2018

Sorry for the confusion I was not aware this was an external to internal flow. The Firewall rules dictate outbound communication while inbound is blocked by default unless part of an inside->outside session. To specify inbound access you would need to create a port-forwarding or 1:1 NAT rule and then open then specify the connections you want to access.

The port 22 and 23 rules you have in the L7 view above are blocking all 22/23 OUTBOUND. Here is a document that describes the inbound rules and how FW traffic flows:

Blocking Inbound Traffic:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Securit...

Port Forwarding and NAT Rules:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

PhilipDAth · ‎Apr 27 2018

You do realise that SFTP runs over (or though SSH)? An SSH session is first established, and then FTP is run through that SSH session.

So you must allow SSH if you want to allow SFTP.

jdizzle · ‎Apr 30 2018

The layer 7 rules you have are really layer 3 rules. You could configure them all in the layer 3 firewall.

Do you have a port forward configured for port 22? You can configure the list of allowed hosts there.

Meraki

Community

SFTP out, block port 22 coming in

SFTP out, block port 22 coming in