Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Why do I see ssh warnings for traffic that should be firewalled?

    Firewalling
    2
    3
    380
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ryan87
      last edited by ryan87

      I have a firewall with SSH access allowed on the WAN, but only for a limited set of hosts that are defined as alias. I upgraded it to 2.4.4_1 a few days ago and now I see a bunch of log messages that don't seem right:

      logs

      Here are my firewall rules on the WAN:

      wan-rules

      I don't think the IP I highlighted in the log should even be allowed to hit the SSH daemon. It's not in my Admin_Hosts aliases. Can anyone explain why that IP is even allowed to make an attempt?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Are you running an IDS like Snort, Suricata or pfBlockerNG?

        1 Reply Last reply Reply Quote 0
        • R
          ryan87
          last edited by

          @KOM No, but, after comparing it to similar configs, I tracked it down to a floating firewall rule (used for traffic shaping) that had a Pass action instead of a Match action.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.