[Solved] Why do I see ssh warnings for traffic that should be firewalled?

  • I have a firewall with SSH access allowed on the WAN, but only for a limited set of hosts that are defined as alias. I upgraded it to 2.4.4_1 a few days ago and now I see a bunch of log messages that don't seem right:


    Here are my firewall rules on the WAN:


    I don't think the IP I highlighted in the log should even be allowed to hit the SSH daemon. It's not in my Admin_Hosts aliases. Can anyone explain why that IP is even allowed to make an attempt?

  • Are you running an IDS like Snort, Suricata or pfBlockerNG?

  • @KOM No, but, after comparing it to similar configs, I tracked it down to a floating firewall rule (used for traffic shaping) that had a Pass action instead of a Match action.