Disable sshlockout ?

[x12MIke]

Greetings,

  I've been trying to find a solution to this, and haven't, so I wanted to inquire.  Since the 19.x upgrade, one of my VPN tunnels has been HORRIBLY unstable.  To bandaid things, I created a basic script to check if the tunnel is up. If it's not, it ssh's to the opnsense box, and restarts strongswan and unbound.

  The issue, is that my workstation that runs the strongswan check script keeps getting added to this sshlockout table, and therefore my bandaid fails.

  To my understanding there are automated rules to make sure the LAN side is not locked out, however that doesn't seem to work across VLAN's.  My default LAN is not on re1 or re0, it's on a VLAN of re0.  It appears the "Anti-Lockout Rule" can't be bound to a VLAN?

  Ideally, I'd like to stabilize Strongswan on my box, however nothing changed on the other side of the tunnel.  The instability arrived after the 19.x upgrade, so I am led to believe the instability is on my end.

  I'm not familiar with how to file a bug report for the strongswan thing, if we can, so I figured I'd start in the forums and see where it leads :)

[bewue]

1. I think for the sshlockout table only failed SSH logins get counted. Thus you should check your script.

2. The sshlockout rule is evaluated before the anti-lockout rule, thus the anti-lockout rule has no effect here.

I don't think there's an switch to disable the sshlockout function.
Anyway you can remove IPs from the sshlockout table -> Firewall: Diagnostics: pfTables