Allow SSH only from internal lan ?

Hi John,
Remember:
  1. You're protected by your router's firewall in 1st instance.
  2. Your Ubuntu installation by default doesn't listen in any port.
If you keep your Ubuntu updated, you'll not have critical
vulnerabilities.

You shouldn't block your router IP, because it's your gateway and any
connected device will get one IP in your LAN, not the router IP
itself.

You should:
  - Filter in your router by MAC for all your devices.
  - With Gufw allow only connections from know IPs.

Best regards.
--
Costales.

On Mon, Sep 16, 2019 at 9:27 PM John Travell
<email address hidden> wrote:
>
> New question #683969 on Gufw:
> https://answers.launchpad.net/gui-ufw/+question/683969
>
> I want to allow an incoming SSH connection from any address on my lan EXCEPT my router. (I cannot control my router software, so I cannot be certain there are no undocumented vulnerabilities!)
>
> In GUFW I have set a rule to allow SSH inbound in the Home profile, without a specified source IP, and left the Office and Public profiles at default, incoming reject.
> (1) Will this expose me to risk if my router gets hacked ?
> (2) Would a second rule (placed first?) that rejects connections from my router IP address work to achieve this goal (1)?
>
> While possibly implicit in the name, is there a clear statement anywhere that specifies exactly which IP address ranges (relative to the GUFW host) are covered by each profile ?
>
> John T.
>
> --
> You received this question notification because you are an answer
> contact for Gufw.

Costales, I think you misunderstand me.
I do know a bit about networks, I should after fixing computers for a living for more than 40 years. I do NOT know the nuances of GUFW...

I do NOT trust my router. I do not trust ANY router that runs proprietary firmware or software. If a router suitable for my network configuration were running open source software I might trust it. These days, in a security context, paranoia reigns supreme.
So:
Occasionally my desktop freezes, cause not yet determined. I can SSH into the box from elsewhere on my LAN and restart the desktop manager. This fixes the freeze.
I will never want to SSH into my desktop from OUTSIDE my lan, and I want to prevent any possibility of anyone else doing so. It is not enough to disable port forwarding in my router, remember I do not trust it (backdoors?). I also want to disable any SSH connection where my router appears to be the originating node. (I HAVE seen exactly this when network monitoring attempts to break into a machine even more secure than Linux!)
Consequently, I need to keep an SSH port open, listening for connections from other nodes in my network, but excluding my router IP address.
You said - You shouldn't block your router IP - Absolutely YES I MUST.
I am not attempting to block OUTGOING connections, only unsolicited INCOMING connections originating from outside my lan.
John T:

Hi,

I understand now.

> I will never want to SSH into my desktop from OUTSIDE my lan

I think the unique way is to filter by IP: Allow 192.168.1.*

> Consequently, I need to keep an SSH port open, listening for connections
from other nodes in my network, but excluding my router IP address.

Reject router IP, but this should be the 1st rule! Before the previous
Allow 192.168.1.*

> You said - You shouldn't block your router IP - Absolutely YES I MUST. I
am not attempting to block OUTGOING connections, only unsolicited INCOMING
connections originating from outside my lan.

I'm not sure how the traffic will be affected because of this, because all
your traffic will go to your router and return from it... You can test it,
please, if you can, report the result of your tests.

I think open hardware is so important in these times too :)

A hug John.
--
Costales.

On Tue, Sep 17, 2019 at 1:27 AM John Travell <
<email address hidden>> wrote:
>
> Question #683969 on Gufw changed:
> https://answers.launchpad.net/gui-ufw/+question/683969
>
> Status: Answered => Open
>
> John Travell is still having a problem:
> Costales, I think you misunderstand me.
> I do know a bit about networks, I should after fixing computers for a
living for more than 40 years. I do NOT know the nuances of GUFW...
>
> I do NOT trust my router. I do not trust ANY router that runs proprietary
firmware or software. If a router suitable for my network configuration
were running open source software I might trust it. These days, in a
security context, paranoia reigns supreme.
> So:
> Occasionally my desktop freezes, cause not yet determined. I can SSH into
the box from elsewhere on my LAN and restart the desktop manager. This
fixes the freeze.
> I will never want to SSH into my desktop from OUTSIDE my lan, and I want
to prevent any possibility of anyone else doing so. It is not enough to
disable port forwarding in my router, remember I do not trust it
(backdoors?). I also want to disable any SSH connection where my router
appears to be the originating node. (I HAVE seen exactly this when network
monitoring attempts to break into a machine even more secure than Linux!)
> Consequently, I need to keep an SSH port open, listening for connections
from other nodes in my network, but excluding my router IP address.
> You said - You shouldn't block your router IP - Absolutely YES I MUST.
> I am not attempting to block OUTGOING connections, only unsolicited
INCOMING connections originating from outside my lan.
> John T:
>
> --
> You received this question notification because you are an answer
> contact for Gufw.

I have not yet fully tested it, but I have a set of rules in place now that I think will achieve my goals. I can SSH to my desktop from other nodes in my LAN, but telnet and rlogin both get rejected.
rule 1. 192.168.0.1 22/tcp REJECT IN 192.168.0.1 22/tcp Router
rule 2. 22/tcp on enp2s0 LIMIT IN 22/tcp SSH
rule 3. (same as rule 2 except for IPv6)

So far, all normal internet traffic seems to work without hindrance, and to fully test it I need to temporarily set a port 22 forward in my router, then see if I get the desired reject when I try to connect from outside my LAN.

> I'm not sure how the traffic will be affected because of this, because
> all your traffic will go to your router and return from it...
While true, modern routers are switches, not hubs, and have dynamic internal routing tables to route normal traffic via the specific port the target IP is on, at the hardware level, the traffic is actually mac address to mac address, so internal traffic should never be seen as originating from the router.
Outgoing traffic, and the returns from it, go to and from the gateway IP, which is normally part of the router, so is distinct from internal traffic.
For what it is worth, I used to have a couple of VMS workstations on my LAN, running several public services, and recorded many attempts to hack in, mostly with username Administrator, including attempts to spoof the source ip to match the then router... but those machines went back when I retired.

John T:

I would recommend you to ask to ufw project too (in Launchpad). Jaime
could give you more technical information :)
--
Costales.

Thanks costales, that solved my question.

Jamie, could you give us your opinion? Thanks!

Moving to ufw

This question was expired because it remained in the 'Needs information' state without activity for the last 15 days.