blacklistd and pf are not blocking
1 view
Skip to first unread message
Doug Hardie
May 26, 2025, 12:56:48 AMMay 26
to ques...@freebsd.org
I have been using blacklistd with web server and postfix for quite awhile. I haven't tested it till yesterday. It appears something with pf has changed on the postfix server. The "bad" IPs are being recorded by blacklistd and they have the proper expiration time. The IPs are properly in the blacklistd anchor for pf. However, the connections are not blocked. They still get through.
The following is an excerpt from pf.conf for the web server where blacklistd is properly blocking IPs.
pass in on $ext_if proto tcp from any to port $WEB
pass in on $ext_if from $local to any
anchor "blacklistd/*" in on $ext_if
LOCAL is my local LAN.
pfctl reports the rule as:
sermons# pfctl -a blacklistd/80 -t port80 -v -sr
block drop in quick proto tcp from <port80> to any port = http
[ Evaluations: 28493 Packets: 425 Bytes: 26201 States: 0 ]
[ Inserted: uid 0 pid 1080 State Creations: 0 ]
The server logs show now entries after the time where the blacklistd entry is created.
The excerpt from the postfix server:
pass in quick inet proto tcp from $LOCAL to any port $SMTP
# woodpeckers limit at 20/IP or 10/minute - cron purges hourly
block in quick log on $ext_if proto tcp from <woodpeckers> to any port $SMTP
pass in inet proto tcp to any port $SMTP \
flags S/SA keep state \
(max-src-conn 20, max-src-conn-rate 10/60, \
overload <woodpeckers> flush global)
anchor "blacklistd/*" in on $ext_if
I understand that the last matching rule is used in filters. It seems that the anchor rule should match. However, it is never called. The counts are always zero.
mail# pfctl -a blacklistd/25 -t port25 -v -sr
block drop in quick proto tcp from <port25> to any port = smtp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 506 State Creations: 0 ]
Both systems are:
mail# freebsd-version -ku
14.2-RELEASE-p1
14.2-RELEASE-p3
I don't see any differences in the pf configuration, but one works and the other doesn't. Any ideas?
-- Doug
The following is an excerpt from pf.conf for the web server where blacklistd is properly blocking IPs.
pass in on $ext_if proto tcp from any to port $WEB
pass in on $ext_if from $local to any
anchor "blacklistd/*" in on $ext_if
LOCAL is my local LAN.
pfctl reports the rule as:
sermons# pfctl -a blacklistd/80 -t port80 -v -sr
block drop in quick proto tcp from <port80> to any port = http
[ Evaluations: 28493 Packets: 425 Bytes: 26201 States: 0 ]
[ Inserted: uid 0 pid 1080 State Creations: 0 ]
The server logs show now entries after the time where the blacklistd entry is created.
The excerpt from the postfix server:
pass in quick inet proto tcp from $LOCAL to any port $SMTP
# woodpeckers limit at 20/IP or 10/minute - cron purges hourly
block in quick log on $ext_if proto tcp from <woodpeckers> to any port $SMTP
pass in inet proto tcp to any port $SMTP \
flags S/SA keep state \
(max-src-conn 20, max-src-conn-rate 10/60, \
overload <woodpeckers> flush global)
anchor "blacklistd/*" in on $ext_if
I understand that the last matching rule is used in filters. It seems that the anchor rule should match. However, it is never called. The counts are always zero.
mail# pfctl -a blacklistd/25 -t port25 -v -sr
block drop in quick proto tcp from <port25> to any port = smtp
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 506 State Creations: 0 ]
Both systems are:
mail# freebsd-version -ku
14.2-RELEASE-p1
14.2-RELEASE-p3
I don't see any differences in the pf configuration, but one works and the other doesn't. Any ideas?
-- Doug
Gian Piero Carrubba
May 28, 2025, 12:39:38 PMMay 28
to ques...@freebsd.org
* [Sun, May 25, 2025 at 09:56:01PM -0700] Doug Hardie:
keyword is always applied and following rules are not processed.
Ciao,
Gian Piero.
>I understand that the last matching rule is used in filters.
This is superseded by the quick keyword. A matching rule with the quick
keyword is always applied and following rules are not processed.
Ciao,
Gian Piero.
Reply all
Reply to author
Forward
0 new messages