SSH keeps dropping connection with "Default deny rule IPv4"… FIXED



  • Good morning
    I am in the process of developing a new pfSense (2.1.3) and keep getting disconnected (SSH) with the "Default deny rule IPv4".  I have even gone as far as creating FLOATING and LAN rules to pass the traffic, but it still disconnects me.  The Block (private and bogon) networks is also unticked.  This is not happening on 2.0.3
    What could be the problem?

    Thank you
    cyber7 (aka Aubrey, Cape Town, South Africa)



  • Most likely asymmetric routing. Firewall must see both directions of the traffic. Otherwise use looser options like sloppy state keeping and allowing all TCP flags.



  • I have found the problem.

    To understand what is happening and how I resolved the issue:

    • I am deploying a pfSense (2.1.3) release whilst the original pfSense (2.0.3) is still in use.

    • Both the systems reside in a VMWare ESXi HOST.

    • I have 2 WAN lines and 1 LAN line.

    • I am only activating 1 WAN line to do the deployment, sharing the LAN (in a virtual environment), although both WAN lines are configured

    • One of the WAN lines is DOWN, as it is in use by the original pfSense (2.0.3) installation.

    • I have a whole bunch of rules on the second "inoperative" WAN Line.

    • I keep getting disconnected from SSH and WEB, although on WEB I just get a "delay"…

    • System logs show: "sshd[…]: fatal: Write failed: Operation not permitted" and "sshlockout[…]: sshlockout/webConfigurator v3.0 starting up"

    • FW log disconnects SSH and gives error "Default deny rule IPv4"

    How did I fix the permanent SSH and WEB disconnects, you ask?  Well it was actually quite easy:

    • System/Advanced/Miscellaneous Options

    • Go down to the section: "Gateway Monitoring"

    • Tick both "State Killing on Gateway Failure" and "Skip rules when gateway is down" options

    Works like a CHARM!
    cyber7-out



  • Indeed that's the other possibility, something wiping the state table. 2.1x versions don't do that by default as it's pretty disruptive and people tended to hit it more often when it wasn't necessary or desirable than when it was.


Log in to reply