D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: obeiro on July 20, 2010, 03:54:47 AM
-
Hi,
I am trying to debug why SSH traffic is not been forwarded by DFL-800 to my Linux router.
Same basic info as previous thread:http://forums.dlink.com/index.php?topic=13886.msg81487#msg81487
Here's my scenario.
* DFL-800 Firewall - WAN1: Public IP - LAN: Private IP:10.0.0.254 Subnet: 10.0.0.252/30
Default config. Just added two IP rules to let all traffic flow to the network appliance at 10.0.0.253
# Name Action Source interface Source network Destination interface Destination network Service
1 allow_all_tcpudp_sat SAT any all-nets core wan1_ip all_tcpudp
2 allow_all_tcpudp_nat NAT any all-nets core wan1_ip all_tcpudp
* The Network appliance (IPBrick) is a Linux box which handles VPN, VoIP, email and fax, and works as main firewall. Unfortunately doesn't support WAN load balance or failover (that's why we need DFL-800).
eth0 IP: is 10.0.0.253 and eth1 IP 192.168.0.254 in our LAN Subnet 192.168.0.0/24
Using snort at the Linux box, I've found that even a single SSH packet can't reach it at port 22. OpenVPN is working fine and snort shows it at port 1194.
So I'd like to get some advice from you to:
- Log specific traffic to a port (i.e. TCP 22)
- Whatever conf changes I may need to allow SSH traffic.
Thanks in advance
-
Change the SSH port of your firewall itself, it can't forward traffic destined for ports that it is remotely manageable via as long as the setting for that UI before rules is in effect.
-
Hi Fatman,
I've looked through the manual for that setting but couldn't find it.
At System -> Remote Management -> Advanced settings, is possible to change HTTP and HTTPS port, but not SSH.
I've tried unchecking SSH Before Rules, but didn't work as expected.
Thank you.
-
Port for SSH remote management is setting on SSH management item.
You can make special rules (SAT + NAT) for SSH and log it or you can capture packets by pcapdump command in console.
-
Hi,
It's working now (thank you :)), but have a new problem :(.
What I've done step by step.
- System -> Remote Management -> Advanced setting -> Uncheck SSH Before rules (thank you fatman)
- New wan1_ton_lan rule:
- # Name Action Source interface Source network Destination interface Destination network Service
1 allow_ssh2_sat SAT any all-nets core wan1_ip ssh2 - Action: SAT - Service: ssh2 (set to another port (9922)
- Log settings tab -> Checked Enable Logging - Severity: Debug
- SAT tab -> Destination IP -> New IP Address: (SSH server) - New Port: 22
So is not working as I wished (using port 22), but it's working so that's ok.
Now I can't access DFL800 using SSH. I guess I need a new IP rule to point ssh traffic to the DFL. Am I wrong? What's that rule?
Thank you!
-
Just one SAT rule will not works. Add Allow/NAT rule with same source/destination/service.
-
Just one SAT rule will not works. Add Allow/NAT rule with same source/destination/service.
Well, it works, as I can access DFL from our LAN, and Linux Box, both from our LAN and WAN.
It's funny how I can't acces DFL from the WAN.
-
I think, it's because u already use port 22 for your internal server? Add SSH remote management from wan with different port
-
Thank you!