From bb61a03b81b5e16b4ae7757ffaf17196a51ce291 Mon Sep 17 00:00:00 2001
From: Dominic Reich <dominic@noreply.oe7drt.com>
Date: Sun, 12 Jan 2025 17:24:12 +0100
Subject: [PATCH] update old post (pfsense, stalled ssh connections)

---
 .../2024/70-stalled-ssh-connections/index.md  | 40 +++++++++++++++++--
 .../pfsense-ip-configutation.png              |  3 ++
 2 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 content/posts/2024/70-stalled-ssh-connections/pfsense-ip-configutation.png

diff --git a/content/posts/2024/70-stalled-ssh-connections/index.md b/content/posts/2024/70-stalled-ssh-connections/index.md
index add6cf3..14a2e3e 100644
--- a/content/posts/2024/70-stalled-ssh-connections/index.md
+++ b/content/posts/2024/70-stalled-ssh-connections/index.md
@@ -5,7 +5,7 @@ summary: >
   This is how I solved it.
   <small>The thumbnail was created with Google AI (Imagen 3).</small>
 date: 2024-10-06T19:30:17+02:00
-lastmod: 2025-01-05T09:03:01+0000
+lastmod: 2025-01-12T16:24:13+0000
 categories:
   - computerstuff
 tags:
@@ -66,7 +66,39 @@ Another change to the firewall setup in my home network.
 I did not had this on my mind but I accidentally saw my firewall retrieving
 a blacklist from my server and like instantly my ssh session was unusable again.
 
-I now reduced the amount of updates the firewall retrieves the blacklist and hope
-for the best!
+I now reduced the amount of updates the firewall retrieves the blacklist and
+hope for the best!
 
-![pfBlockerNG settings of blacklisted IPs](./pfsense-pfblockerng-ipsettings.png "Image shows the settings screen of pfBlockerNG and the IPv4 feeds")
\ No newline at end of file
+![pfBlockerNG settings of blacklisted IPs](pfsense-pfblockerng-ipsettings.png "Image shows the settings screen of pfBlockerNG and the IPv4 feeds")
+
+{{< alert "triangle-exclamation" >}}
+**Update on January 12 2025:**  
+_The final solution should be the removal of all IPv4 based blocks_
+{{< /alert >}}
+
+As the logs of the pfBlockerNG indicate: every hour runs a job that fetches and
+updates blocklists for IP and DNS based blocking (if neccessary).
+
+Since the script kills all states to IP addresses in these lists my guess was,
+that I should remove these types of blacklist (as the firewall blocks incoming
+traffic of unknown sources anyway).
+
+I'm not sure how my servers IP got there, but I think the script kills all states
+of any addresses listed in these lists, including those in whitelists.
+
+```log
+[ pfB_Top_v4 ] Removed 46 state(s) for [ 89.58.16.xxx ]
+
+igb1 tcp 89.58.16.xxx:ssh <- 192.168.11.yyy:53226       ESTABLISHED:ESTABLISHED
+igb0 tcp 192.168.31.zzz:25103 (192.168.11.yyy:53226) -> 89.58.16.xxx:ssh       ESTABLISHED:ESTABLISHED
+igb1 tcp 89.58.16.xxx:ssh <- 192.168.11.aaa:49270       TIME_WAIT:TIME_WAIT
+igb0 tcp 192.168.31.zzz:36706 (192.168.11.aaa:49270) -> 89.58.16.xxx:ssh       TIME_WAIT:TIME_WAIT
+... and so on etc ...
+```
+
+Maybe it would have been enough to stop killing states but as I already wanted
+to thin these lists anyway...
+
+Otherwise this settings should suffice, theoretically:
+
+![pfBlockerNG settings of IP settings](pfsense-ip-configutation.png)
diff --git a/content/posts/2024/70-stalled-ssh-connections/pfsense-ip-configutation.png b/content/posts/2024/70-stalled-ssh-connections/pfsense-ip-configutation.png
new file mode 100644
index 0000000..b842fe5
--- /dev/null
+++ b/content/posts/2024/70-stalled-ssh-connections/pfsense-ip-configutation.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a45eaecf8ecc23561ef9b854842613ae51f55d1365e6df7ae1ec4f72ea878ba
+size 12865