Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSH keeps dropping connection with "Default deny rule IPv4"… FIXED

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • cyber7C
      cyber7
      last edited by

      Good morning
      I am in the process of developing a new pfSense (2.1.3) and keep getting disconnected (SSH) with the "Default deny rule IPv4".  I have even gone as far as creating FLOATING and LAN rules to pass the traffic, but it still disconnects me.  The Block (private and bogon) networks is also unticked.  This is not happening on 2.0.3
      What could be the problem?

      Thank you
      cyber7 (aka Aubrey, Cape Town, South Africa)

      When you pause to think, do you start again?

      2.2.4-RELEASE (amd64)
      built on Sat Jul 25 19:57:37 CDT 2015
      FreeBSD 10.1-RELEASE-p15
      and
      pfSense 2.3.2-RELEASE-p1 (amd64 full-install) on pfSense

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Most likely asymmetric routing. Firewall must see both directions of the traffic. Otherwise use looser options like sloppy state keeping and allowing all TCP flags.

        1 Reply Last reply Reply Quote 0
        • cyber7C
          cyber7
          last edited by

          I have found the problem.

          To understand what is happening and how I resolved the issue:

          • I am deploying a pfSense (2.1.3) release whilst the original pfSense (2.0.3) is still in use.

          • Both the systems reside in a VMWare ESXi HOST.

          • I have 2 WAN lines and 1 LAN line.

          • I am only activating 1 WAN line to do the deployment, sharing the LAN (in a virtual environment), although both WAN lines are configured

          • One of the WAN lines is DOWN, as it is in use by the original pfSense (2.0.3) installation.

          • I have a whole bunch of rules on the second "inoperative" WAN Line.

          • I keep getting disconnected from SSH and WEB, although on WEB I just get a "delay"…

          • System logs show: "sshd[…]: fatal: Write failed: Operation not permitted" and "sshlockout[…]: sshlockout/webConfigurator v3.0 starting up"

          • FW log disconnects SSH and gives error "Default deny rule IPv4"

          How did I fix the permanent SSH and WEB disconnects, you ask?  Well it was actually quite easy:

          • System/Advanced/Miscellaneous Options

          • Go down to the section: "Gateway Monitoring"

          • Tick both "State Killing on Gateway Failure" and "Skip rules when gateway is down" options

          Works like a CHARM!
          cyber7-out

          When you pause to think, do you start again?

          2.2.4-RELEASE (amd64)
          built on Sat Jul 25 19:57:37 CDT 2015
          FreeBSD 10.1-RELEASE-p15
          and
          pfSense 2.3.2-RELEASE-p1 (amd64 full-install) on pfSense

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Indeed that's the other possibility, something wiping the state table. 2.1x versions don't do that by default as it's pretty disruptive and people tended to hit it more often when it wasn't necessary or desirable than when it was.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.