I was able to get issue #1 resolved by disabling the rule " External Secure Shell Server" listed under Firewalls > Sidewinder > Policy > Rules > Administration
However, issue #2 still exists so I think there is a problem with the rule I've setup. I'll continue to work on this and update the ticket with the resolution if I'm able to figure it out on my own.
Issue #2 has now been resolved as well.
The problem was actually with the Inspection, as it should have been set to "defaul (ssh)" and the level set to the one in the middle.
Everything is now working.
Hopefully somebody else with a similar problem with find this helpful to them.
You haven't mentioned which Firewall version you are running so my reply is going to be a little generic.
You were correct in the fact that the external SSH server rule was getting in the way of your attempts to connect to the SFTP server. However, while you've now fixed it so that the SFTP service is working you won't be able to SSH to the Firewall any more. So, in essence, you've broken one thing in order to make the other thing work.
The reason why it got in the way in the first place is because the SSH server process, by defaults, binds to the target interface in such a what that it listens on all available IP addresses. To overcome this problem you can use the file editor to open the /etc/ssh/sshd_config file. Near the top of the file you'll find a section which looks like this:-
If you change it so that it refers to a specific external IP address on the firewall:-
you will then be able use the SSH proxy service in tandem with the SSH server by bringing the SFTP connection in via an alias IP address on the Firewall.
Though you haven't mentioned it, you also have the ability (using an SSH Application Defense entry) to control the SFTP connections through the Firewall so that you can stop external users from doing something like deleting files or directories on the SFTP server. Though I haven't looked at it in great depth you may also find that the correct use of the SSH application defense may fix problem #2. Certainly looking at your access rule definition, I can't see anything fundamentally wrong with it.
Thanks Phil, this is some great information. I'm going to look into what you've said and see about getting things setup so that everything will work.
I appreciate your assistance in this issue.