PF pf not blocking all traffic from blacklisted ip addresses

pez · May 17, 2024

I've setup pf to block any traffic contained in 2 files. however I've found that some, but not all, traffic from ip addresses that should be blocked is getting through.

pflog shows some traffic from blocked ips being dropped, while my postfix and apache logs show some traffic from the same ip addresses.

pf.conf

Code:

ext_if="vtnet0"

scrub in

table <block-em> persist file "/etc/pf.blocked.ip.conf"
block drop in log (all) quick on $ext_if from <block-em> to any

table <stretchoid> persist file "/etc/pf.blocked.stretchoid"
block drop in log (all) quick on $ext_if from <stretchoid> to any

if it helps i can post excerpts from the logs and the files containing ips to block

regards
andrew

SirDice · May 17, 2024

If you add addresses to those files you will need to reload the ruleset. Those files will not be dynamically checked, the table is created (and filled) when the ruleset is loaded. What I normally do is add addresses to such a file (for safe keeping), then add them dynamically to the table; pfctl -t block-em -T add 1.2.3.4. Also note that the traffic from an IP address may already have a state, and the traffic is passed due to the existing state.

Al Seitsinger · May 19, 2024

You could also include "quick" in any block rule to ensure that the filter stops there when it matches.

pez · May 21, 2024

thanks guys, the rules were reloaded. as i said, they are blocked a lot, the ip addresses appear in pflog, however they also still get through a few times to my apache logs and maillog

i'll try the "quick" to see if that helps

edit: my mistake, it's already using the "quick" option

regards
andrew

PF pf not blocking all traffic from blacklisted ip addresses

pez

SirDice

Administrator

Al Seitsinger

pez