Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Default deny rule on ssh
« previous
next »
Print
Pages: [
1
]
Author
Topic: Default deny rule on ssh (Read 1760 times)
baronyoung
Newbie
Posts: 2
Karma: 0
Default deny rule on ssh
«
on:
November 21, 2023, 08:46:44 pm »
I'm running default settings pretty much across the board. I'm unable to ssh from one machine on a LAN subnet to another machine on the same subnet. In the firewall log I see this:
__timestamp__ 2023-11-21T19:43:20
ack 3804592492
action [block]
anchorname
datalen 0
dir [in]
dst 192.168.1.152
dstport 49195
ecn
id 0
interface igc1
interface_name lan
ipflags DF
ipversion 4
label Default deny / state violation rule
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 5
seq 1985055759
src 192.168.1.50
srcport 22
subrulenr
tcpflags SA
tcpopts
tos 0x0
ttl 64
urp 65160
Again, I've added no rules and it appears the default is to allow all traffic so I'm confused why this is happening. The "src" IP address above is actually the system I'm trying to ssh TO if that helps. Any help would be greatly appreciated.
«
Last Edit: November 21, 2023, 09:41:23 pm by baronyoung
»
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: Default deny rule on ssh
«
Reply #1 on:
November 22, 2023, 12:19:53 am »
Traffic between two hosts in the same subnet should not touch the firewall. Maybe the subnet mask is misconfigured on the host you're trying to connect to? This could result in the syn ack being sent to the firewall, which causes a state violation.
Cheers
Maurice
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
baronyoung
Newbie
Posts: 2
Karma: 0
Re: Default deny rule on ssh
«
Reply #2 on:
November 22, 2023, 05:01:44 pm »
I've checked both interfaces on each of the internal hosts and the mask looks fine (/24). They're both on DHCP (using same OPNSense for this too), and DHCP is configured correctly as well. Is there any way to turn off this "syn ack" functionality? I'm not familiar with that.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: Default deny rule on ssh
«
Reply #3 on:
November 22, 2023, 05:49:46 pm »
You'll have to find out why 192.168.1.50 sends these packets to OPNsense instead of directly to 192.168.1.152. That's beyond the control of OPNsense and more likely a client / switch / WLAN / ... issue.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Default deny rule on ssh