Solved Blocking specific IP or subnet does not seem to be working?

I keep seeing this in my mail log:
Code:
Oct  5 07:28:56 srv04 postfix/smtpd[27489]: connect from unknown[185.234.219.57]
Oct  5 07:28:57 srv04 postfix/smtpd[27489]: lost connection after AUTH from unknown[185.234.219.57]
Oct  5 07:28:57 srv04 postfix/smtpd[27489]: disconnect from unknown[185.234.219.57] ehlo=1 auth=0/1 commands=1/2

I have set up a table in pf.conf:
Code:
ext_if="vmx0"
me="123.123.123.123"
good_tcp_ports="{ 28300,443,80,25,22334 }"
set skip on lo0

block in all
block out all
pass in quick on $ext_if inet proto tcp from any to $me port $good_tcp_ports

pass in on $ext_if proto tcp from any to $me port 22334 flags S/SA synproxy state
pass in on $ext_if proto tcp from any to $me port > 40000 keep state
pass out keep state

pass in quick on $ext_if inet proto udp from any port 53 to $me
pass in on $ext_if inet proto icmp all icmp-type echoreq keep state
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $me to any

table <blockedips> persist file "/usr/local/etc/pf.blocked.ip.conf"
block drop in log (all) quick on $ext_if from <blockedips> to any

And this is my table: pfctl -t blockedips -T show
Code:
185.234.219.0/24
185.234.219.100
185.234.219.56
185.234.219.57
185.0.0.0/24

I have "restarted" pf with: pfctl -f /usr/local/etc/pf.conf
I'm lost! :-/
 
You have a pass quick rule before your block rule.
This rule:
Code:
pass in quick on $ext_if inet proto tcp from any to $me port $good_tcp_ports
Always allow the traffic. Move the block rule (with the table) above it. You'll want to block "bad" traffic as soon as possible, so move it to the top of the rules.
 
Back
Top