This post is probably more relevant to my use case of PF firewall running on FreeBSD 11.1, and I need to remind myself how to unblock an IP from the block list.

Here’s a snippet of what’s in /etc/pf.conf:

table persist

# Don't send rejections. Just drop.
set block-policy drop

# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0

# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble

# set a default deny policy.
block in log all

# This is a desktop so be permissive in allowing outgoing connections.
pass out quick modulate state

# Enable antispoofing on the external interface
antispoof for $ext_if inet
#antispoof for $ext_if inet6

# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

# drop broadcast requests quietly.
block in quick on $ext_if from any to

block in log quick on $ext_if inet from  to any

In the pf.conf, the blocked IP table is called sshguard. To list all the blocked IPs, run:

# pfctl -t sshguard -T show

To unblock an IP, e.g., run:

# pfctl -t sshguard -T delete
1/1 addresses deleted.

That’s it. Why is it so hard for me to remember this? 😛