Thursday, August 6, 2009

Secure remote firewall administration via SSH

Most firewall systems contain a Web-based component that allows you to configure the firewall. This holds true for most entry-level firewall systems (Linksys, D-Link, etc.) and also open source firewall systems such as pfSense. These systems tend to provide ways to access the Web interface remotely via the Internet; however, this should not be considered secure at all.

Instead, if there is a system on the inside of the network that you can forward a port to for SSH, you can then SSH into the box and use TCP forwarding to get to the firewall via the inside of the network. This has the advantage of authentication and strong encryption. If the remote firewall has SSH running on it, you do not even need another internal system to SSH into; just SSH into the firewall itself.

On the remote system, edit ~/.ssh/config and add an entry similar to the following:

Host remotefw


User admin

Port 522

LocalForward 8888

This allows you to execute ssh remotefw on the command-line to connect to the host as the user “admin,” on port 522. It will also forward connections on the local system’s port 8888 to port 80 on the remote system (the firewall). Note that the user to connect as (admin) is not for the firewall; this is the SSH, or local, user on the remote system.

Now point your browser to connect to (use https if the firewall requires it). You should be prompted for the credentials to get into the Web-based configuration utility.

Once you are finished working with the firewall configuration, simply close the browser window and exit the SSH session.

If this does not work, chances are the remote SSH server has TCP forwarding disabled. You will need to connect to the remote system and, as root, enable the AllowTcpForwarding keyword and restart sshd.

The advantages to using TCP forwarding over SSH to access remote firewalls, instead of enabling and using remote administration in the firewall itself, should be self-evident. Using SSH, you can restrict access to users able to SSH in, and with the use of key-based authentication, brute password attempts to break in are non-existent. As well, it provides more security due to the SSH encryption.

I use this method of remote firewall configuration quite often. It allows me to configure remote pfSense firewalls for clients, and even the remote Linksys firewall at my mother’s house (of course, she is also using Fedora at home, and I can remotely SSH in to access the firewall). The only pre-requisites are that the firewall forwards a port for SSH to a system on the remote network and that you have appropriate credentials to log in.



Anonymous said...

I would like to exchange links with your site
Is this possible?

Anonymous said...

Nice post and this enter helped me alot in my college assignement. Thanks you on your information.

Anonymous said...

For the help please use

Abhiz said...

I am fine people like you encouraged me to write ..Thanks alot for your comments.I will keep writing.