From nobody Tue Feb 10 18:29:56 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4f9VTw3bBYz6RlDW for ; Tue, 10 Feb 2026 18:29:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4f9VTw2Q0Lz3mPX; Tue, 10 Feb 2026 18:29:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770748196; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=DYyDOYQx7pFEab6xFZaym53hlV3Kz9YY0YVCAszCRx0=; b=A8c0BNwR0wDfSDw0rvxhI7pfXSVyRIWx67crXZbrBGFkQotKGAQYz3XbFBjtKXZiRvBvXM 5CYubU81kyglVKAMdafsolNJ7yOct7RzkNCOZfVSMigIJC59Osupb1CgHWE+Hsu38/e1Ik KBcLjm+c/iN9/f1WPiHBMPJAju4PV3I8AcLWLTU4ogbLDAdU22oSNPnzV+5HATjupRoX5B vRCOPAU49McckiwH3S0bcXUV0a6oUhC7piP57itSyxUMst/sWaMD/WXcJeSWOKsWlhOydw nz+78nnz+hCmI/18/f2j7rTCAvzSbaSOKF+8CCpdE6ig+dWlzF0UBGiO25Lm3g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1770748196; a=rsa-sha256; cv=none; b=YO3PBdYWctVHCaGOi7RyFnse7PQMkX0OY8oYDcJr/QLfKFAx5riHYoiQCmOod5BXRVGrAQ P8irX6iPnYIOeKq4leiewIbSDgpLMtGnNJyc3rXF2GciV4FOa2oVnuCNdPrCE4nsJOk6sE TlH8/7ghiJuI6PhmE1PaniLTC/CW8NZDIkOkGMaxvvf41YA63uIII6PqO9u9fE6TLer59N vRRVKFA802fcuf7eYaVET890T39HsE+czW9M6VWcjwvxVqs/z2f2S2FrnNyNzdOsoAF/3C DVEOuQng6ocAN27lhlM9s/CQhYQE/oqmQZfba3PAYDHCAfxv+oRhEcbMXpLjcg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1770748196; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=DYyDOYQx7pFEab6xFZaym53hlV3Kz9YY0YVCAszCRx0=; b=YDS5AcqoMnAx+u6Z4OPiDTyEViu+gAiEtuwNk+RlqbaNl8enWogC9iyAwSrWRXTgHKm/Pk H/NorPnFvPafWevSHh6HqhY8yyAPlk0f0QpZQqn4KlwONuL2qEXgZxoeCSqn0h+e3x1gqH myBsM1rFNAG7WHlRrHzaOLeGIF1XdK1WHsOFKvWmKH6y6fQsEDKpinYBCM0QTZroB64cjI M7KySUK84HQq7DWuT3LEhLY6QO41iO9MyuozSZGwZgn10KbzVgHNuxrRWCovlOaVTgDxXa 2jyJoq+BjMgYw230ggpKWHV/RmK6Gv2IBmc8uOxxUkBQ8P4oSBJ4IbZ5t+5M3w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 325A91F9A0; Tue, 10 Feb 2026 18:29:56 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:03.blocklistd Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260210182956.325A91F9A0@freefall.freebsd.org> Date: Tue, 10 Feb 2026 18:29:56 +0000 (-00) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:03.blocklistd Security Advisory The FreeBSD Project Topic: blocklistd(8) socket leak Category: core Module: blocklistd Announced: 2026-02-10 Affects: FreeBSD 15.0 Corrected: 2026-02-10 01:39:29 UTC (stable/15, 15.0-STABLE) 2026-02-10 17:56:11 UTC (releng/15.0, 15.0-RELEASE-p3) CVE Name: CVE-2026-2261 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The blocklistd(8) service keeps a database of IP addresses associated with certain adverse events reported by other system services, such as failed ssh logins or emails submitted to non-existent recipients. Once an IP address has exceeded a configured number of adverse events, blocklistd runs a helper script which performs a preprogrammed action, usually adding the IP address to a packet filter blocklist. After a certain amount of time has elapsed, the same helper script is run again to unblock the address. The blocklistd service was previously known as blacklistd and is present under both names in FreeBSD 15.0-RELEASE. II. Problem Description Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired. Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports. III. Impact An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack. Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective. The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted. IV. Workaround The issue can be mitigated to a certain extent by regularly restarting the blocklistd service. However, a determined attacker with access to a sufficiently large pool of sacrificial IP addresses will be able to disable blocklistd in a matter of minutes, or hours at most. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:03/blocklistd.patch # fetch https://security.FreeBSD.org/patches/SA-26:03/blocklistd.patch.asc # gpg --verify blocklistd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1864a03eb2ac stable/15-n282210 releng/15.0/ e4781e4e6d88 releng/15.0-n281007 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmLdZIACgkQbljekB8A Gu849BAAnzXfP+LqpZM2dIPVMma5fHyMKNYSCa3nCS5cBSXgnodaM8KW2W0tuPRA 2NlMU4LUtDng0+UCm3SDVOZRvHL37/2TfaIheCs0QCmLirG78NDweHntEMHQGqUP vsdQ1kfdkRm1VJyqE8INsSOdlE8YwCywM+HXjEhjv5VNTzzVZOj3cnlNABgrrCq7 DcKuCZ9uDZRva+X71YRs3n9ZWghSuONB9ycys2YdYG3fp2wEMUpwEsRFjR1oYWOM JjmlvfXJSeNq4vXd425zX3trLunVEqRVEaLtkl3NDx7/fVAN05MrXx5eB7oTBa5X 9NzFDdQpJZw3Fk7B6cRUZa4v/mPFc2ZrfMKEIrMz+7brVl5InSjvi7ne3ERRujr0 Db4Kbf9XrAx1NaFXrffU6jmVrhZOz7Z9Y+H+1V7yCYZiShkwz2rrghghcrH3QH0x 2jJXsT+M5lYDA2oFPc0eXPtlidrmCcWHMVM4b8xkZ/tBCaq31F4T7RWXj0QiO44Z 7AlV7ejZquknMA0gNmmOrOMW3kQcCUwJA0SBXcQ7WE5sgnQeXdZcl9wWtSkjYuhr g1YHde8rNUNcHBC+FPZlru/PsuOrc1/XzdjO4uRpSEK++hOR4ZmLUBThd+u8H9b4 bA9kCxgNwfuOq9c3hYhFjWme+kxHRLRAdn4un19zLwUvaqLqS0k= =1MK1 -----END PGP SIGNATURE----- From nobody Fri Feb 13 14:38:19 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fCFDH6KBfz6RtH0 for ; Fri, 13 Feb 2026 14:39:11 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "E7" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fCFDG0zc0z3TZr for ; Fri, 13 Feb 2026 14:39:10 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=vhxrk2L5; dmarc=pass (policy=quarantine) header.from=leidinger.net; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1770993538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=vS1/eXEGBxNDxCLYTp3MZxAKR/a+UTJ8Q8V7spGk42U=; b=vhxrk2L5P15keWSUW8Beju87xGQk+cFI/NyxiiQ8luFPGeeoe9d1qAUmrMuFHwlNuszY/q uVSCapuiWdT17dqN1yC7SX7cBQEBolrxoOSamU0ATcos+XGLgkEMiTPn7uwryRCvhgm5/Q sP+f44QRNXRmNLKxfEhVvdYqswvFNmu0xF90KLbv5CvB6GeGv2WfHLjG6pFgoMoMyo06Bj wZuV2AOeMZzYLd86PpnNqsWW2OpONm1TWtvE4taJHXCm5GfTOVvCh9ThPzbNBxuiLsGqvh yAG0W1GYrq/L9eBoM5KxaLtVW+hAQkGkIbHdSnfgRmWpEjnhZMIij6xRhyzJZw== Date: Fri, 13 Feb 2026 15:38:19 +0100 From: Alexander Leidinger To: FreeBSD Security list Subject: Misunderstanding of behavior of pf? Message-ID: <4e5872fa643cf4ed2cc60f3bc61a7600@Leidinger.net> Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_6cff845e9e81d6cbef5b681e5c006892"; micalg=pgp-sha256 X-Spamd-Result: default: False [-4.77 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.983]; NEURAL_HAM_MEDIUM(-0.79)[-0.786]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]; MISSING_XM_UA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; HAS_ATTACHMENT(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4fCFDG0zc0z3TZr X-Spamd-Bar: ---- This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_6cff845e9e81d6cbef5b681e5c006892 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, it seems I have some kind of misunderstanding how PF is supposed to behave... I have a persistent table ("bruteforce") which contains an IP. After a reboot the IP should not be allowed to reach any service (I validated that the IP is in the table after the reboot), but I still see this IP showing up in sshd auth logs (the usual probing). The external interface (igb0) is a member of a bridge. The host-IP is on the bridge, no IP on the external interface. The pf rules are on the external interface. The sshd which is listening on the IP of the bridge is still logging the IP. Config below. The packets enter the system via igb0, no other NIC configured or attached. To my understanding the rules below should block IPs in the bruteforce table and sshd should not see connections from those IPs. ifconfig vswitch0 | head -5: ---snip--- vswitch0: flags=1008843 metric 0 mtu 1500 description: VNET jails switch options=10 ether a:b:c:d:e:f inet 192.168.x.y netmask 0xffffff00 broadcast 192.168.x.255 ---snip--- ifconfig vswitch0 | grep igb0: ---snip--- member: igb0 flags=143 ---snip--- sysctl net.link.bridge: ---snip--- net.link.bridge.ipfw: 0 net.link.bridge.member_ifaddrs: 1 net.link.bridge.log_mac_flap: 1 net.link.bridge.allow_llz_overlap: 0 net.link.bridge.inherit_mac: 1 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_onlyip: 1 ---snip--- I also tried with net.link.bridge.pfil_member=1, same behavior. pf.conf: ---snip--- ext_if = "igb0" set loginterface $ext_if set skip on lo0 #set skip on vswitch0 set block-policy return set reassemble yes # tables table persist file "/var/db/pf/bruteforce.table" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 100.64.0.0/10 192.88.99.0/24 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.128.0/17 192.168.64.0/18 192.168.32.0/19 192.168.16.0/20 \ 192.168.8.0/21 192.168.4.0/22 192.168.2.0/23 192.168.0.0/24 \ 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } table { 100::/64 2001:db8::/32 3fff::/20 } table persist file "/var/db/pf/crowdsec-ipv4.blocklist" table persist file "/var/db/pf/crowdsec-ipv6.blocklist" # hygiene scrub in all # blacklistd anchor "blacklistd/*" in on $ext_if # hygiene block in quick log on $ext_if from to any block in quick log on $ext_if from to any block in quick log on $ext_if from to any block return out quick log on $ext_if from any to block drop in quick on $ext_if from to any block drop in quick on $ext_if from to any ---snip--- Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_6cff845e9e81d6cbef5b681e5c006892 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmmPN2sACgkQEg2wmwP4 2IZYpBAAhZPYiBhLfAx0VYK/1ibDq/tdW88SFzxJ9iG4SA63T5EHSRbKTCLfdfsX w5dELGODY5POFSnOYh5li6l4Xyukxvn/Hoopo4OB0xOmg0wkdtbCH5z8kKWIQz+L HyrKteBsRUZFrl92g0J0+R8oZ9jB50bccOBqQWX6i4oKJPAyDKa7PUAMyw87pH0L nhKaJZeLEnq1IovJtvxfWflPT7MXvOKjmExrKhCH1W9Z9TneLXer/2uhGv7pfRLq yY8rhD11AjXNA1B/ZcjRW5HOmJ4BpE0g5SzHD7e+M/RsZuu8W/ql11lrapDaznuK Hb34mXYQ9XUuACNdwZTjKtFA9VdBZtDacXX8ZdpN+dwGpytnH4HiJ21ecDK+lu6E xSd9ennb4Gvb1EHroV4XIsYC7+ecC8TMvuM05YzrIx8ARlR2XfNuz0beIpf7IKl2 0y1cpeuWcABGO9GugWOSnc70bsoM9i1VjHxNc73fEMQP+zZniDlz81B7gIhXInwI fgJXBvprhAhnYg/5eVQ5lF3SCs7t6zhR2eVQstyQlD2xzzORPS6wszLwApIkHGcb H6BPA29Mfuw4I6CN3IBYMcnnOfijMQzBaEvBcKaMwUZrnRyEAYWVmD2bWqgv1054 xPo+dF/saUK9fQW71eKDAUwOvSN9xZQSLExWdaA8k7q7cJCv5FU= =L/yg -----END PGP SIGNATURE----- --=_6cff845e9e81d6cbef5b681e5c006892-- From nobody Sat Feb 14 20:53:20 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fD1VD2VM1z6S8vb for ; Sat, 14 Feb 2026 20:53:56 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fD1VC42tvz3pPK for ; Sat, 14 Feb 2026 20:53:55 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=dataix.net header.s=net header.b=VeHANjHg; dmarc=pass (policy=quarantine) header.from=dataix.net; spf=pass (mx1.freebsd.org: domain of jhellenthal@dataix.net designates 2607:f8b0:4864:20::236 as permitted sender) smtp.mailfrom=jhellenthal@dataix.net Received: by mail-oi1-x236.google.com with SMTP id 5614622812f47-463ba60966aso124593b6e.1 for ; Sat, 14 Feb 2026 12:53:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; t=1771102433; x=1771707233; darn=freebsd.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=fplJ1+C5/xe5CkJFQWzB4sgh5NGATP38KSNM4OrDmk8=; b=VeHANjHgta9w6T0xdEhX2kasVyinpbLtWekqZtbI76q5F1rdCqNdMwcA/tRIyOnQES /YeA5yjYgTn2s44H9WEKydoh1GzsOuLn/WUrU8nr5CQNA0IlThPr2HQmjzrV8So5wQwA JSzUfyr17zRCxB5JRZKZztQeXeMLdDNlD9Kq4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771102433; x=1771707233; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=fplJ1+C5/xe5CkJFQWzB4sgh5NGATP38KSNM4OrDmk8=; b=hezA0fFdr0DAIqlfPziA8q2SN4SXsGNpDUex6k+6hvWuOo3Dv2nFc75DCRv0TphxZO ic8AAb4wSk8cfi8cyxP99zxfSBbG+NoY7PtypZKueHg16T7KyddvldvOJvTJF6o3wsdo lUPWaxa5gwsgDUYAee+AbTwfCuagzqVQG+EhyjNKhCBsbOstdYu3pFyy3ELnJtVPtUhr bubyM/Pzx9gAMT8IkeNUwrL2TibxZBZmdMgL75hzu8oLSDBQtLcRFz1f8huz8mrWxk1w H4oxNpKStR82eLcXWCz47ypiKkcmZ4X6s76maYfZKfcIGWCxBxMLN0KvLECRKiYnbELs dFtg== X-Gm-Message-State: AOJu0Yzeh8C3PNJugUG8VpBqGMTbGsbnV+55zP4l2Ao3OiiYjY/7rmi+ Wbp6elsqXBQzg2LBX7o/5hcWSuCahPp/PRTkbHv5wVwyY2JkmQHbXZsTX4b6z3RceYRvOxnsNhT qVvDg X-Gm-Gg: AZuq6aLIWFNgHqmYYyK7bOmdi/2IKQ7/v0l72dPnSjDnokVk1zeUH8KFSRhWNBA817Y /gRgiheySDfptClILSPhu/oanEk/x/JfxVN5bT2Y3idbR0z7+wDxWWF2dR7tPi51m7BwtDRA9Ft 3CN3EUDxXDPkTTf+ghfV3++ll1dZWv2evFF5wgkIa9SZkZoQSxxs0AbGoODqXSwL5XobDIR2wIG pFBRrORhqpNn5+zIWufpHnZyXil/GKzDEAga2Hm5O1tBkLzC9zWiIQhxqxUQGEwVYp46+Yc+YzR L6ygv6QffEhhe1PbZd6dqd0z+sp9J0n67y6F13rWiIIW65bCN4HJVY/ohpYxTwfczuLBrc44eGs EYjPkhUla+SYErYVpxTZUQDnyUtmOxg7UQ2ZtKgcRmOg8O1HFheW0mHJWpPS1vz07K2flTJpNZh SDIYPJAwuQntP4TInyiSX4oTtNy7MEbEkCwB7ohMybm9vJoDpAU1CxiOpQug== X-Received: by 2002:a05:6808:1793:b0:45c:96bb:1202 with SMTP id 5614622812f47-463b40b7374mr1881901b6e.58.1771102432842; Sat, 14 Feb 2026 12:53:52 -0800 (PST) Received: from smtpclient.apple ([2603:6000:c900:2031:158c:63d:4283:6013]) by smtp.gmail.com with ESMTPSA id 5614622812f47-4638c54ab34sm4797814b6e.7.2026.02.14.12.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 14 Feb 2026 12:53:52 -0800 (PST) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable From: "J. Hellenthal" List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (1.0) Subject: Re: Misunderstanding of behavior of pf? Date: Sat, 14 Feb 2026 14:53:20 -0600 Message-Id: <0557F00F-95B2-4CA6-89DD-561E710CC705@dataix.net> References: <4e5872fa643cf4ed2cc60f3bc61a7600@Leidinger.net> Cc: FreeBSD Security list In-Reply-To: <4e5872fa643cf4ed2cc60f3bc61a7600@Leidinger.net> To: Alexander Leidinger X-Mailer: iPhone Mail (23D127) X-Spamd-Result: default: False [-2.96 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.959]; DMARC_POLICY_ALLOW(-0.50)[dataix.net,quarantine]; R_DKIM_ALLOW(-0.20)[dataix.net:s=net]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; DKIM_TRACE(0.00)[dataix.net:+]; FROM_HAS_DN(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; APPLE_IOS_MAILER_COMMON(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::236:from] X-Rspamd-Queue-Id: 4fD1VC42tvz3pPK X-Spamd-Bar: -- Set ext_if =3D "vswitch0" and give it another shot. --=20 J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Feb 13, 2026, at 08:39, Alexander Leidinger w= rote: >=20 > ext_if =3D "igb0