SFTP being blocked outgoing
I have an issue where on my server sftp is being allowed in but from the server I cannot go out.
I have modified the packet filter to allow this.
The rules I have added are as follows
SFTP Incomming
Protocol: TCP Source Port: Any Destination Port: 22 Source IP Add: Any Ip Address Source Mask: 0.0.0.0 Desination IP Address: My IP Address Destination Mask: 255.255.255.255
SFTP Outgoing
Protocol: TCP Source Port: 22 Destination Port: Any Source IP Add: My Ip Address Source Mask: 255.255.255.255 Desination IP Address: Any IP Address Destination Mask: 0.0.0.0
I have disabled my cisco box that was allowing port 22 and TCP anyway.
I cant see what is blocking it but guessing it may be the destination mask or source mask.
Your firewall rules look fine for the server part. If the issue is that, from the server machine (which you'd be using as a client for this purpose), you're trying to connect to a remote SFTP (SSH) server, you firewall rules are wrong.
Making an outgoing SFTP connection doesn't mean that the source port is going to be 22 (in fact, it's very unlikely, more so if there's already a server running on that port). The destination port is also going to be 22, but the source port is going to be something usually random (or not too random but within a different range, unused by the server ports in general, let's say > 10000). For outgoing connections, your first rule would still apply, but it would need a different destination mask.
The problem then is that if you allow something like this:
Protocol: TCP
Source Port: Any
Destination Port: 22
Source IP Add: Any
Ip Address Source Mask: 0.0.0.0
Desination IP Address: My IP Address
Destination Mask: 0.0.0.0
You're opening all your ports to anyone who's able to tweak their client to come from a port 22, which isn't good. What you'd want is to allow only new and established incoming connections to port 22.
To be honest, I'm not sure how this works in Windows, but this is what NEW
, ESTABLISHED
and RELATED
are for in iptables
on Linux.
If you mean that for outgoing traffic the server is acting as a client then your outgoing rule is wrong, as Bruno stated in his answer. When acting as a client, the server will use an ephemeral port on it's end and connect to the remote server on the remote server's port 22. If this is what you meant then you need to reverse your source and destination ports in your outbound rule. The source should be any port and the destination should be port 22.