Connections from OPNsense 25.1 to port 22 on LAN

[alex_62450]

Hi to the OPNsense community,

I am using OPNsense as a home lab, in the following basic setting :

      Internet access ===> OPNsense 25.1 ==> LAN

After upgrading to OPNsense 25.1, there were some connectivity issues on the LAN interface (instability), which some other users experienced and this made me have a closer look at the LAN interface.

This is how I noticed connections going from the firewall to port 22 on the LAN. Theses connections - or rather attempts,allowed by automatic rules ('let anything out from firewall host itself'), suggest use of SSH as the protocol was TCP.

Please see attached screenshot from the live view in firewall logs : the connections are leaving  the LAN interface, from OPNsense to the computer on the LAN.

I tried to find out if there is any legitimate service on OPNsense 25.1 that could be make this kind of activity, could anyone share any thoughts or advice please ?

Many thanks.

[cookiemonster]

Those are likely going through it not from it. See the label, it is the rule that allows traffic from the firewall to the LAN.
There should be another leg of this traffic coming into the firewall, unless of course your are ssh'ing from it (the console).

[alex_62450]

Many thanks for the swift reply.

Well, unfortunately no, I wasn't SSH'ing from the console :-/  ..so what can be done please to find that other part corresponding to this traffic?

[pfry]

To expand on that, if you have logging enabled on your rules as well as the default/automatic rules, you'll get a log pair like these:

Code Select Expand

JAIL    <-    2025-03-11T10:00:44-05:00    10.101.11.160    192.168.99.160    icmp    let out anything from firewall host itself
TRUST    ->    2025-03-11T10:00:44-05:00    10.101.11.160    192.168.99.160    icmp    TRUST: Pass Ping_v4 from TRUST net to Local_v4

TRUST    <-    2025-03-11T10:04:41-05:00    192.168.99.160    10.101.11.160    icmp    let out anything from firewall host itself
JAIL    ->    2025-03-11T10:04:41-05:00    192.168.99.160    10.101.11.160    icmp    JAIL: Pass Ping_v4 from JAIL net to Trusted_v4

EDGE <- 2025-03-11T10:16:01-05:00 47.190.83.202 47.190.83.197 icmp let out anything from firewall host itself
TRUST -> 2025-03-11T10:16:01-05:00 10.101.11.160 47.190.83.197 icmp TRUST: Pass Ping_v4 from TRUST net to Local_v4

...so it's a bit tough to filter them together unless you know what you're looking for. I usually don't bother; I grabbed these by expanding (to 100 lines) and stopping the (very active, on my firewall) live view.

[alex_62450]

Many thanks for your message.

Logging is indeed enabled on some of the rules, but not on the automatic ones :/... I'll implement that step, thanks again for mentioning this.

In such case, is there something else that I can dig into to learn about this event, eg in /var/log or elsewhere?

I would also like to know if there is a way to assess whether that happened through traffic only or does it imply the OPNsense system is compromised (not sure if both conditions can apply).

[troplin]

Do you have backup to git enabled?

[pfry]

[...]
In such case, is there something else that I can dig into to learn about this event, eg in /var/log or elsewhere?

Well, there's "Firewall: Log Files: Plain View", but searching it can be a bit cumbersome. For instance, my system logs ~10-20 messages per second. And the pf logs are pretty limited (e.g. no MAC addresses). If I really want to know what's going on, I run a few (filtered) packet captures ("Interfaces: Diagnostics: Packet Capture"). I used those quite a bit early on to get a handle on some of the details of OPNsense operation.

I would also like to know if there is a way to assess whether that happened through traffic only or does it imply the OPNsense system is compromised (not sure if both conditions can apply).

Using rule logs? Hm. Singular "let out anything from firewall host itself" logs (vs. paired entries) with the source (IP) being the firewall, perhaps, but those would be tough to spot (vs. NAT, if used). A simple script could pick them out, but then there's the issue of where you'd want to implement something like that. Limitations of the FreeBSD stack and pf. Also, my configuration is a bit unusual (something that could probably be said about almost anyone's OPNsense config), so logging on my firewall may be unusual, too.

[alex_62450]

Thank you very much again for your messages.

Do you have backup to git enabled?

Well, I am not using that feature for the moment. It looks great and can be very helpful, but at the same time, it is not making your configuration public, is it? Until now, I have been doing back-ups and restores using config files, and use #diff to spot any changes. Can you share a bit about your experience with git please? I'd like to know more about it for sure.

Well, there's "Firewall: Log Files: Plain View", but searching it can be a bit cumbersome.

Indeed :-/ I have tried some basic steps, using simple #grep filters and #less but I am not sure what are the best log filters to look at to identify this kind of event in traffic - ie. the entry point on WAN - and in the system.

By the way, OPNsense was updated today to 25.1.3, which I welcomed as a chance to re-baseline the system but the same attempt was spotted again on LAN, so any thoughts and advice to track this kind of event would be please really, really welcome.

Many thanks.

[cookiemonster]

Make it simple.
Firewall > Settings > Advanced > Logging: Tick to log default block, default pass and outbound NAT <=don't forget to change it all back.
Go back to Firewall > Log Files > Live View: Change the drop down for the number of entries from the default 25 to say 100.
Now stop the capture when you get the hit you're interested in but don't forget that if you still have those filters in place, you need to remove them to see the other legs of traffic.

[troplin]

Thank you very much again for your messages.

Do you have backup to git enabled?

Well, I am not using that feature for the moment. It looks great and can be very helpful, but at the same time, it is not making your configuration public, is it?

It can be a git server in your own network, it doesn't have to be a public one like GitHub.

But that's not the point. Git uses SSH to connect to the server which could explain the outgoing connections.

[cookiemonster]

he's already said he's not using that feature ;)

[troplin]

he's already said he's not using that feature ;)

I was just explaining why I asked that question.

[cookiemonster]

fair enough. I thought you had missed that message.

[alex_62450]

Back to the forum and thanks for contributions - there were some persistent stability issues on WAN today, hence a bit of delay to respond.

It can be a git server in your own network, it doesn't have to be a public one like GitHub.

That's cool: if it's possible not to go on a public git, then I'll explore this further - thanks for bringing this forward.

Firewall > Settings > Advanced > Logging: Tick to log default block, default pass and outbound NAT <=don't forget to change it all back.
Go back to Firewall > Log Files > Live View: Change the drop down for the number of entries from the default 25 to say 100.

Done, many thanks for the hint :) And now, in practice, as this happens at unexpected moments (as always...), is there a way to automate an alert when this kind of condition is met? I had a look at the OPNsense manual and plugin list but not sure what could help.

Many thanks

[cookiemonster]

automate alerting to what condition, sorry?  All this so far is how to use the live view.