[Solved] Why do I see ssh warnings for traffic that should be firewalled?



  • I have a firewall with SSH access allowed on the WAN, but only for a limited set of hosts that are defined as alias. I upgraded it to 2.4.4_1 a few days ago and now I see a bunch of log messages that don't seem right:

    logs

    Here are my firewall rules on the WAN:

    wan-rules

    I don't think the IP I highlighted in the log should even be allowed to hit the SSH daemon. It's not in my Admin_Hosts aliases. Can anyone explain why that IP is even allowed to make an attempt?



  • Are you running an IDS like Snort, Suricata or pfBlockerNG?



  • @KOM No, but, after comparing it to similar configs, I tracked it down to a floating firewall rule (used for traffic shaping) that had a Pass action instead of a Match action.