PF table to block IP not working in real-time

yzbythesea · Aug 30, 2025

Hi

I am implementing a program to detect bad IPs and block them in real-time via PF. I have a blocklist table persisted. The table starts with empty. Then my program will add bad IPs into this table.

My expectation is that PF will start blocking the connections from those IPs once they are added into the table. But I can still see the existing udp connections not destroyed/blocked by PF and there is traffic going between them.

/etc/rc.conf

Code:

table <blocklist> persist file '/usr/local/etc/pf_blocklist'
set skip on lo0
block all
pass out keep state
block on epair100b from <blocklist> to any
block on epair100b from any to <blocklist>

I am using this to add bad IPs to PF table

Code:

pfctl -t blocklist -Tadd 123.123.321.321

I verify the IPs are in the PF table. But their existing udp connections are still up. Those connections are established before I add them into the PF table.

Any thoughts? Thanks.

dave14305 · Aug 30, 2025

What about killing the states for that same IP with pfctl -k 123.123.321.321

johnblue · Aug 30, 2025

Add the offending IP to your table and then kill it with:

Code:

-k host | network | label | id | gateway

See the pfctl() man page.

Additionally, depending what goal you are trying to achieve, you may find that allowing pfctl to dynamically block hosts may perhaps be more efficient.

Be sure to see chapter 33 in the handbook regarding Firewalls and the section named "33.3.2.5. Using Overload Tables to Protect SSH". The concept applies to other ports not just SSH.

yzbythesea · Aug 31, 2025

dave14305 and johnblue

I am using

Code:

pfctl -F state

and seems working.
Which one is preferred? flush current state or kill the offending host state?

johnblue said:
pfctl to dynamically block hosts

Thanks, but my use case requires information not seen by PF to identify the bad clients

johnblue · Aug 31, 2025

dave14305 said:
What about killing the states for that same IP with pfctl -k 123.123.321.321

How strange. When I posted my comments there were zero replies to thread. But yours was four hours ahead of mine?? Odd.

yzbythesea said:
Which one is preferred? flush current state (club) or kill the offending host state (scalpel)?

Your choice.

dave14305 · Aug 31, 2025

johnblue said:
How strange. When I posted my comments there were zero replies to thread. But yours was four hours ahead of mine?? Odd.

I’m too new. I was waiting for moderation.

Same for this reply.

Phishfry · Aug 31, 2025

I moved from tables to blacklistd.

blacklistd(8)

man.freebsd.org

FreeBSD - Linux and FreeBSD Firewalls - Part 2 - Klara Systems

Compare Linux firewall solutions with FreeBSD’s PF, IPFW, and IPFilter. Discover key differences in performance, security, and flexibility.

klarasystems.com

I love this info-graphic:

https://gioarc.me/posts/infra/blacklistd.html

Very bottom of page setup instructions:

CentOS, FreeBSD: Secure SSH with fail2ban and blacklistd with MFA (Google Authenticator)

I have some servers that are exposed to the Internet on port 22 and I see a lot of brute force attacks coming. The easiest and best way to protect is to block port 22 for everyone except a handful of IPs or safe subnets. But sometimes, these servers need to be available for some...

blog.andreev.it