Date: Fri, 13 Feb 2026 15:38:19 +0100 From: Alexander Leidinger <Alexander@Leidinger.net> To: FreeBSD Security list <freebsd-security@freebsd.org> Subject: Misunderstanding of behavior of pf? Message-ID: <4e5872fa643cf4ed2cc60f3bc61a7600@Leidinger.net>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Hi,
it seems I have some kind of misunderstanding how PF is supposed to
behave...
I have a persistent table ("bruteforce") which contains an IP. After a
reboot the IP should not be allowed to reach any service (I validated
that the IP is in the table after the reboot), but I still see this IP
showing up in sshd auth logs (the usual probing).
The external interface (igb0) is a member of a bridge. The host-IP is on
the bridge, no IP on the external interface. The pf rules are on the
external interface. The sshd which is listening on the IP of the bridge
is still logging the IP. Config below.
The packets enter the system via igb0, no other NIC configured or
attached. To my understanding the rules below should block IPs in the
bruteforce table and sshd should not see connections from those IPs.
ifconfig vswitch0 | head -5:
---snip---
vswitch0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP>
metric 0 mtu 1500
description: VNET jails switch
options=10<VLAN_HWTAGGING>
ether a:b:c:d:e:f
inet 192.168.x.y netmask 0xffffff00 broadcast 192.168.x.255
---snip---
ifconfig vswitch0 | grep igb0:
---snip---
member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
---snip---
sysctl net.link.bridge:
---snip---
net.link.bridge.ipfw: 0
net.link.bridge.member_ifaddrs: 1
net.link.bridge.log_mac_flap: 1
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 1
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.pfil_member: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 1
---snip---
I also tried with net.link.bridge.pfil_member=1, same behavior.
pf.conf:
---snip---
ext_if = "igb0"
set loginterface $ext_if
set skip on lo0
#set skip on vswitch0
set block-policy return
set reassemble yes
# tables
table <bruteforce> persist file "/var/db/pf/bruteforce.table"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
100.64.0.0/10 192.88.99.0/24 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.128.0/17 192.168.64.0/18 192.168.32.0/19 192.168.16.0/20
\
192.168.8.0/21 192.168.4.0/22 192.168.2.0/23 192.168.0.0/24 \
198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
table <martians6> { 100::/64 2001:db8::/32 3fff::/20 }
table <crowdsec-blocklists> persist file
"/var/db/pf/crowdsec-ipv4.blocklist"
table <crowdsec6-blocklists> persist file
"/var/db/pf/crowdsec-ipv6.blocklist"
# hygiene
scrub in all
# blacklistd
anchor "blacklistd/*" in on $ext_if
# hygiene
block in quick log on $ext_if from <martians> to any
block in quick log on $ext_if from <martians6> to any
block in quick log on $ext_if from <bruteforce> to any
block return out quick log on $ext_if from any to <martians>
block drop in quick on $ext_if from <crowdsec-blocklists> to any
block drop in quick on $ext_if from <crowdsec6-blocklists> to any
---snip---
Bye,
Alexander.
--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmmPN2sACgkQEg2wmwP4
2IZYpBAAhZPYiBhLfAx0VYK/1ibDq/tdW88SFzxJ9iG4SA63T5EHSRbKTCLfdfsX
w5dELGODY5POFSnOYh5li6l4Xyukxvn/Hoopo4OB0xOmg0wkdtbCH5z8kKWIQz+L
HyrKteBsRUZFrl92g0J0+R8oZ9jB50bccOBqQWX6i4oKJPAyDKa7PUAMyw87pH0L
nhKaJZeLEnq1IovJtvxfWflPT7MXvOKjmExrKhCH1W9Z9TneLXer/2uhGv7pfRLq
yY8rhD11AjXNA1B/ZcjRW5HOmJ4BpE0g5SzHD7e+M/RsZuu8W/ql11lrapDaznuK
Hb34mXYQ9XUuACNdwZTjKtFA9VdBZtDacXX8ZdpN+dwGpytnH4HiJ21ecDK+lu6E
xSd9ennb4Gvb1EHroV4XIsYC7+ecC8TMvuM05YzrIx8ARlR2XfNuz0beIpf7IKl2
0y1cpeuWcABGO9GugWOSnc70bsoM9i1VjHxNc73fEMQP+zZniDlz81B7gIhXInwI
fgJXBvprhAhnYg/5eVQ5lF3SCs7t6zhR2eVQstyQlD2xzzORPS6wszLwApIkHGcb
H6BPA29Mfuw4I6CN3IBYMcnnOfijMQzBaEvBcKaMwUZrnRyEAYWVmD2bWqgv1054
xPo+dF/saUK9fQW71eKDAUwOvSN9xZQSLExWdaA8k7q7cJCv5FU=
=L/yg
-----END PGP SIGNATURE-----
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4e5872fa643cf4ed2cc60f3bc61a7600>