• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

PF Communication between fail2ban and pf fails


New Member

Messages: 3

EDIT: the problem is solved


i had used Debian at the last several years and i'm very new to FreeBSD.

I tryed to port my configuration for fail2ban from my Debian machines to FreeBSD (with the modification due the firewall has changed).

In my testing phase i have found out that the recognition works fine as under debian. My IP is under the fail2ban's internal banlist marked (`fail2ban-client status ssh` shows my IP as "currently banned").
The problem is, that i'm still not banned by pf. When i try to ban myself via `/sbin/pfctl -t fail2ban -T add <ip>` it is working fine - pf will add me to my fail2ban table (connections will be refused).
I dont understand why it won't work..

My /usr/local/etc/fail2ban/jail.local configuration is:

ignoreip =

# if 10 failures per 6 hours then ban the ip for 24 hours - that seems legit for me, i am the only sysadmin who can access to this systems
# i have in emergency cases every time access to this machines via vnc over my hostsystem
bantime  = 86400
findtime = 21600
maxretry = 10

backend = auto
usedns = warn

#banaction = iptables-multiport # ported from my debian configuration - inactive
protocol = tcp
chain = INPUT

# ported from my debian configuration - inactive
#action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
#protocol="%(protocol)s", chain="%(chain)s"]
#action = %(action_)s

actionban=/sbin/pfctl -t fail2ban -T add <ip>
actionunban=/sbin/pfctl -t fail2ban -T delete <ip>


enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
And my /etc/pf.conf is
# Bezeichnung vom Netzwerkinterface

# erlaubt nur bestimmte Typen von ICMP requests
#icmp_types = "{echoreq, unreach}"
icmp_types = "echoreq"

# Blockiere alles was rein kommt
block in all

# gibt connection refused an den client zurueck anstelle ihn bis zum timeout (vom clientsystem festgelegt) warten zu lassen
block return

# aktiviert den IP spoofing Schutz fuer alle interfaces
block in quick from urpf-failed

# wendet Blockierungsmethoden an gegen IP spoofing fuers angegebene Netzwerkinterface oben
antispoof log for $ext_if

# erlaubt es, dass der server heraustelefonieren darf zb um sich updates zu holen; er darf egal mit welchem Proto hintelefonieren wohin er will
# CHANGEME wird spaeter weiter eingeschraenkt
pass out keep state

# so sieht generell eine Freigaberegel aus - hier fuer ssh
pass in quick on $ext_if inet proto tcp from any to $ext_if port 22

# icmp Freigabe eingehend
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state


table <blockedips> persist file "/etc/pf.blocked.ip.conf"
block in quick on $ext_if from <blockedips> to any

table <fail2ban> persist
block in quick on $ext_if from <fail2ban> to any
My /etc/rc.conf is:
ifconfig_em0="inet censored netmask 0xfffffff0"
#sshd_enable=TRUE #temporary disabled until the fail2ban firewall problem is solved
I'm sorry for my bad english (and the german comments.. just ignore them!).. :)

Thanks in advance!
Last edited:


New Member

Messages: 3

Set banaction to pf.
i have tried the sample configuration of /usr/local/etc/fail2ban/jail.local from
with the recommended banaction.

I had restartet the fail2ban service but i have still the same problem.
fail2ban says to me that i'm banned (via `fail2ban-client status sshd`) but `pfctl -t fail2ban -T show` shows me nothing and i'm still able to connect to the server.

My /usr/local/etc/fail2ban/action.d/pf.conf config is the following:
# Fail2Ban configuration file
# OpenBSD pf ban/unban
# Author: Nick Hilliard <nick@foobar.org>
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6


# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
# we don't enable PF automatically; to enable run pfctl -e
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
# also, these rulesets are loaded into (nested) anchors
# to enable them, add
#     anchor f2b {
#        anchor name1
#        anchor name2
#        ...
#     }
# to your main pf ruleset, where "namei" are the names of the jails
# which invoke this action
actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
              echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-

# Option:  start_on_demand - to start action on demand
# Example: `action=pf[actionstart_on_demand=true]`
actionstart_on_demand = false

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
# we only disable PF rules we've installed prior
actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
             <pfctl> -t <tablename>-<name> -T flush
             <pfctl> -t <tablename>-<name> -T kill

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck = <pfctl> -sr | grep -q <tablename>-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
actionban = <pfctl> -t <tablename>-<name> -T add <ip>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
# note -r option used to remove matching rule
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>

# Option: pfctl
# Use anchor as jailname to manipulate affected rulesets only.
# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
#pfctl = pfctl -a f2b/<name>
pfctl = pfctl -a fail2ban

# Option:  tablename
# Notes.:  The pf table name.
# Values:  [ STRING ]
#tablename = f2b
tablename = fail2ban

# Option: block
# The action you want pf to take.
# Probably, you want "block quick", but adjust as needed.
block = block quick

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
protocol = tcp

# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>

# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]"
allports = any

# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
multiport = any port {<port>}
For pfctl i had tried {"pfctl -a f2b/<name>" (default value! creepy but okay), "pfctl -a f2b", "pfctl -a fail2ban"} and for tablename {"f2b", "fail2ban"} - separately, one after another.

In my opinion are the following lines interesting. Are they correctly?
actionban = <pfctl> -t <tablename>-<name> -T add <ip>
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
#pfctl = pfctl -a f2b/<name>

T. Braun

New Member

Thanks: 2
Messages: 4

Hi Leonard,

I'm seeing exactly the same problem - would you mind telling how you solved the problem on your side? Maybe I'm having the same error.



Staff member

Thanks: 5,508
Messages: 25,692

See post #2.