-2

I have private network set up on a static ip, and I have configured my router at 192.168.1.1 to forward port XX to port 22 on my local server in order to allow ssh access. I am able to ssh in just fine with this configuration, but then I go to thinking -- why am I allowed to do this? I am fairly new to firewalld, but I found out that I can type sudo firewall-cmd --list-all-zones, in order to see the various ports and services I have open in each of the zones.

However, to my dismay, even after removing the ssh service from all zones, and removing port 22 completely, I am still able to ssh to my local server over the internet by typing ssh -p XX paul@xxx.xxx.xx.xxx.

I tried googling "how to completely disable ssh access using firewalld", but all of the results are referring to blocking the service except one or a few specific IPs. In order to test the security of my network, I want to be able to completely disallow ssh access to mny server. But given that port 22 and the ssh service are completely abset from my firewalld config, how come the firewall isn't working? Why am I still able to ssh in?

EDIT: here is the output when I type sudo firewall-cmd --list-all-zones:

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s25 wlp3s0
  sources: 
  services: 
  ports: 8545/tcp 5001/tcp 33/tcp
  protocols: tcp udp
  masquerade: no
  forward-ports: 
  source-ports: 5001/tcp
  icmp-blocks: 
  rich rules: 


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

As you can see, the ssh service should not be available in any of my zones. And yet it works just fine. I assume that there is some assumption that port 22 is open by default, even though it is not explicit? Or am I missing something?

-Paul

Paul
  • 107
  • 1
  • 5
  • What commands did you run to disable it? Also, keep in mind that if you block SSH completely, you won't be able to connect to the server locally either. – guzzijason Sep 17 '18 at 00:28
  • Actually the "Server" I'm referring to is a linux laptop, so I can still log into it manually. I disabled all of the ssh services using the GUI (in "permanent" mode). I removed ssh from all of my "zones", rebooted, and double check that ssh was completely removed from all zones. I do still see the ssh sercice under the "services" tab, but I do not see any way of deleting it. – Paul Sep 17 '18 at 00:40
  • why the downvote? – Paul Sep 17 '18 at 00:41
  • I guess the larger question is, if `firewall-cmd --list-all-zones` is not inclusive of all open ports and can potentially be overridden, then where can I see the actual comprehensive list of ports/protocols/services that are open? – Paul Sep 17 '18 at 01:03
  • `firewall-cmd` should be showing you the definitive list. Offhand, I'm not sure why it wouldn't. – guzzijason Sep 17 '18 at 01:17

2 Answers2

2

Frequently "userfriendly" tools such as firewalld/firewall-cmd and also ufw will only display rule-sets that are created and managed by that tool.

The tools typically won't display additional rules that are inserted directly into the running firewall configuration, either by running iptables commands directly (with iptables-restore at boot or from a script or manually with iptables ), or rules generated by other tools (for instance docker can publish ports, fail2ban will add rules to block ports).

You usually spot such occurrences by dumping the full rule-sets with iptables-save or with iptables -L -v -n and maybe iptables -L -v -n -t nat.
For instance using firewalld I would normally expect the port for ssh to get managed by firewalld in for instance the IN_public_allow chain and thus a rule in the INPUT chain for port 22 would be a red flag.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
0

I ended up getting the expected behavior by using ufw instead of firewalld. upon running sudo systemctl stop firewalld && sudo ufw enable && sudo reboot I was no longer able to ssh into that machine. But, after running sudo ufw allow ssh, it starting working again, as expected.

Paul
  • 107
  • 1
  • 5