Pf

This post is probably more relevant to my use case of PF firewall running on FreeBSD 11.1, and I need to remind myself how to unblock an IP from the block list. Here’s a snippet of what’s in /etc/pf.conf: table persist # Don't send rejections. Just drop. set block-policy drop # Exempt the loopback interface to prevent services utilizing the # local loop from being blocked accidentally. set skip on lo0 # all incoming traffic on external interface is normalized and fragmented # packets are reassembled. scrub in on $ext_if all fragment reassemble # set a default deny policy. block in log all # This is a desktop so be permissive in allowing outgoing connections. pass out quick modulate state # Enable antispoofing on the external interface antispoof for $ext_if inet #antispoof for $ext_if inet6 # block packets that fail a reverse path check. we look up the routing # table, check to make sure that the outbound is the same as the source # it came in on. if not, it is probably source address spoofed. block in from urpf-failed to any # drop broadcast requests quietly. block in quick on $ext_if from any to 255.255.255.255 block in log quick on $ext_if inet from to any In the pf.conf, the blocked IP table is called sshguard. To list all the blocked IPs, run: ...

A reminder to readers, most of these blog posts are to remind me what I have done or fixed some problems. What works for me may not work for you. Most of the time, they aren’t even the best practice. Here’s a snippet of the PF firewall rule on my FreeBSD box which acts as a DNS server. Basically, the firewall opens up UDP port 53 to allow LAN access it. ...