πŸ”΄ Critical   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: FreeBSD 12

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Remote administration is lost after pf reload, causing emergency console interventions.

Environment & Reproduction

Occurs after rule changes or table updates without out-of-band testing.

pfctl -sr
service pf reload
ssh admin@host

Root Cause Analysis

Rule order, state policy, or incorrect interface macro blocks inbound TCP 22 traffic.

Quick Triage

Confirm pf is active and check block counters.

pfctl -s info
pfctl -vvsr
tcpdump -ni em0 port 22

Step-by-Step Diagnosis

Find the first matching block rule for SSH packets.

pfctl -f /etc/pf.conf -n
pflogd -d
tcpdump -ni pflog0 port 22
Illustrative mockup for freebsd-12 β€” terminal_or_shell
Inspecting active pf ruleset β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Insert explicit pass rule for management subnet before generic block rules.

Still having issues? Our Network Design team can diagnose and resolve this for you. Get in touch for a free consultation.

cp -a /etc/pf.conf /etc/pf.conf.bak
echo 'pass in on em0 proto tcp from 10.0.0.0/24 to (em0) port 22 keep state' >> /etc/pf.conf
pfctl -f /etc/pf.conf
Illustrative mockup for freebsd-12 β€” log_or_config
Adding safe SSH pass rule and reloading pf β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use pf tables for trusted admin ranges and apply staged reload with syntax validation in CI.

Verification & Acceptance Criteria

SSH access is restored from authorized networks while unauthorized access remains blocked.

ssh -o ConnectTimeout=5 admin@host true
pfctl -vvsr | grep 22

Rollback Plan

Restore previous firewall configuration if unintended exposure is detected.

cp /etc/pf.conf.bak /etc/pf.conf
pfctl -f /etc/pf.conf

Prevention & Hardening

Maintain console fallback, enforce syntax checks, and require peer review for firewall changes.

Related to DNS breakage from blocked UDP and jail egress denial due to anchor rules.

Related tutorial: View the step-by-step tutorial for freebsd-12.

View all freebsd-12 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

pf.conf(5), pfctl(8), and FreeBSD firewall deployment guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.