Tag Archives: PF

How to unban IP from PF firewall

This post is probably more relevant to my use case of PF firewall running on FreeBSD 11.1, and I need to remind myself how to unblock an IP from the block list.
Here’s a snippet of what’s in /etc/pf.conf:

table persist

# Don't send rejections. Just drop.
set block-policy drop

# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0

# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble

# set a default deny policy.
block in log all

# This is a desktop so be permissive in allowing outgoing connections.
pass out quick modulate state

# Enable antispoofing on the external interface
antispoof for $ext_if inet
#antispoof for $ext_if inet6

# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

block in log quick on $ext_if inet from  to any

In the pf.conf, the blocked IP table is called “sshguard”. To list all the blocked IPs, run:

# pfctl -t sshguard -T show
   1.0.246.105
   1.9.79.191
   1.52.149.133
   1.53.170.75
   1.164.252.130
   1.212.246.18
   1.217.60.210
   1.235.197.132
...

To unblock an IP, e.g. 1.235.197.132, run:

# pfctl -t sshguard -T delete 1.235.197.132
1/1 addresses deleted.

That’s it. Why is it so hard for me to remember? 😛

PF firewall rule for DNS server

A reminder to readers, most of these blog posts are to remind me what I have done or fixed some problems. What works for me may not work for you. Most of the time, they aren’t even the best practice.

Here’s a snippet of the PF firewall rule on my FreeBSD box which acts as a DNS server. Basically, the firewall opens up UDP port 53 to allow LAN access it.

ext_if = "ue0"
...
pass in on $ext_if proto udp from 192.168.1.0/24 to any port 53 keep state

Reference: IPFW rules for DNS Resolvers