PF pf-badhost Table Loaded, but pf Not Blocking IPs

[asm386]

After following the instructions listed at https://www.geoghegan.ca/pub/pf-badhost/latest/install/freebsd.txt to get pf-badhost running on FreeBSD 15.0, it seems like the pf-badhost script has run successfully and that pf itself has loaded the pfbadhost table, but it doesn't seem like pf is blocking requests from the addresses in this table.

Here are the contents of /etc/pf.conf

ext_if = "vtnet0"
set limit table-entries 400000
scrub in all

table <pfbadhost> persist file “/etc/pf-badhost.txt”
block in log quick on egress from <pfbadhost>
block out log quick on egress to <pfbadhost>

antispoof for $ext_if

I believe that the rules have been loaded because the following shows up in the output of pfctl -sr:

block drop in log quick on egress from <pfbadhost> to any
block drop out log quick on egress from any to <pfbadhost>

In addition, pfctl -t pfbadhost -Ts | wc -l gives me back a count of 25,073, which I believe indicates that the table has at least been loaded correctly. In spite of all of this, I am still seeing IP addresses which should be blocked show up in the /var/log/httpd-access.log. For example, here is output from this log which is clearly abnormal:

176.65.148.161 - - [07/Feb/2026:20:47:21 +0000] "HEAD / HTTP/1.1" 401 -
176.65.148.161 - - [07/Feb/2026:20:47:21 +0000] "HEAD / HTTP/1.1" 401 -
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "GET / HTTP/1.1" 301 275
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "GET / HTTP/1.1" 301 275
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "GET / HTTP/1.1" 401 421
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "GET / HTTP/1.1" 401 421
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "HEAD /_next HTTP/1.1" 301 -
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "HEAD /_next HTTP/1.1" 301 -
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "HEAD /_next HTTP/1.1" 401 -
176.65.148.161 - - [07/Feb/2026:20:47:22 +0000] "HEAD /_next HTTP/1.1" 401 -

Running pfctl -t pfbadhost -Tt 176.65.148.161 gives the following output:

1/1 addresses match.

Since the address matches, I am unsure why this traffic was allowed in the first place. I have also validated the /etc/pf.conf file by running pfctl -nf /etc/pf.conf and have ran pfctl -f /etc/pf.conf and restarted my server to ensure that the configuration file has been loaded. I am hoping for feedback on where I may have misconfigured pf so that I can adjust the configuration and ensure that these rules are enforced properly.

 

[atax1a]

do you have pf_enable="YES" in /etc/rc.conf? This ends up executing pfctl -e among other things. You can check pfctl -si to see if it is enabled.

 

[asm386]

do you have pf_enable="YES" in /etc/rc.conf? This ends up executing pfctl -e among other things. You can check pfctl -si to see if it is enabled.

I checked /etc/rc.conf and pf is enabled. Running pfctl -si produces the following output:

Status: Enabled for 0 days 00:02:43           Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                            6457           39.6/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                               6457           39.6/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

Looks like it is enabled and running.

 

[asm386]

I decided to make the following changes to my /etc/pf.conf and now things seem to be working as expected

block in log quick on $ext_if from <pfbadhost>
block out log quick on $ext_if to <pfbadhost>

I changed these lines to block explicitly on the vtnet0 interfaces as opposed to egress. I am now able to actually see blocks show up when monitoring the pflog0 interface and so far the only IPs which are actually hitting the HTTP server are those that are not in the pfbadhost table, so things seem to be working. Since vtnet0 is the only interface that can actually reach the internet, I think that the ruleset above will work for now. The only confusion now is why this works but egress does not...

 

[gotnull]

The only confusion now is why this works but egress does not...

It's mainly because egress is a keyword used by PF in OpenBSD, but it doesn't apply in FreeBSD context.
The author of the instructions probably did a quick copy/past for the pf rules, but as you've found out it's a quick fix.

Just in case, some reading, if you want to change this behavior:

Making sure you're not a bot!