From nobody Fri Feb 13 14:38:19 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fCFDH6KBfz6RtH0 for ; Fri, 13 Feb 2026 14:39:11 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "E7" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fCFDG0zc0z3TZr for ; Fri, 13 Feb 2026 14:39:10 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=vhxrk2L5; dmarc=pass (policy=quarantine) header.from=leidinger.net; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1770993538; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=vS1/eXEGBxNDxCLYTp3MZxAKR/a+UTJ8Q8V7spGk42U=; b=vhxrk2L5P15keWSUW8Beju87xGQk+cFI/NyxiiQ8luFPGeeoe9d1qAUmrMuFHwlNuszY/q uVSCapuiWdT17dqN1yC7SX7cBQEBolrxoOSamU0ATcos+XGLgkEMiTPn7uwryRCvhgm5/Q sP+f44QRNXRmNLKxfEhVvdYqswvFNmu0xF90KLbv5CvB6GeGv2WfHLjG6pFgoMoMyo06Bj wZuV2AOeMZzYLd86PpnNqsWW2OpONm1TWtvE4taJHXCm5GfTOVvCh9ThPzbNBxuiLsGqvh yAG0W1GYrq/L9eBoM5KxaLtVW+hAQkGkIbHdSnfgRmWpEjnhZMIij6xRhyzJZw== Date: Fri, 13 Feb 2026 15:38:19 +0100 From: Alexander Leidinger To: FreeBSD Security list Subject: Misunderstanding of behavior of pf? Message-ID: <4e5872fa643cf4ed2cc60f3bc61a7600@Leidinger.net> Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_6cff845e9e81d6cbef5b681e5c006892"; micalg=pgp-sha256 X-Spamd-Result: default: False [-4.77 / 15.00]; SIGNED_PGP(-2.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.98)[-0.983]; NEURAL_HAM_MEDIUM(-0.79)[-0.786]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]; MISSING_XM_UA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; HAS_ATTACHMENT(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4fCFDG0zc0z3TZr X-Spamd-Bar: ---- This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_6cff845e9e81d6cbef5b681e5c006892 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, it seems I have some kind of misunderstanding how PF is supposed to behave... I have a persistent table ("bruteforce") which contains an IP. After a reboot the IP should not be allowed to reach any service (I validated that the IP is in the table after the reboot), but I still see this IP showing up in sshd auth logs (the usual probing). The external interface (igb0) is a member of a bridge. The host-IP is on the bridge, no IP on the external interface. The pf rules are on the external interface. The sshd which is listening on the IP of the bridge is still logging the IP. Config below. The packets enter the system via igb0, no other NIC configured or attached. To my understanding the rules below should block IPs in the bruteforce table and sshd should not see connections from those IPs. ifconfig vswitch0 | head -5: ---snip--- vswitch0: flags=1008843 metric 0 mtu 1500 description: VNET jails switch options=10 ether a:b:c:d:e:f inet 192.168.x.y netmask 0xffffff00 broadcast 192.168.x.255 ---snip--- ifconfig vswitch0 | grep igb0: ---snip--- member: igb0 flags=143 ---snip--- sysctl net.link.bridge: ---snip--- net.link.bridge.ipfw: 0 net.link.bridge.member_ifaddrs: 1 net.link.bridge.log_mac_flap: 1 net.link.bridge.allow_llz_overlap: 0 net.link.bridge.inherit_mac: 1 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_onlyip: 1 ---snip--- I also tried with net.link.bridge.pfil_member=1, same behavior. pf.conf: ---snip--- ext_if = "igb0" set loginterface $ext_if set skip on lo0 #set skip on vswitch0 set block-policy return set reassemble yes # tables table persist file "/var/db/pf/bruteforce.table" table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 100.64.0.0/10 192.88.99.0/24 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.128.0/17 192.168.64.0/18 192.168.32.0/19 192.168.16.0/20 \ 192.168.8.0/21 192.168.4.0/22 192.168.2.0/23 192.168.0.0/24 \ 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 } table { 100::/64 2001:db8::/32 3fff::/20 } table persist file "/var/db/pf/crowdsec-ipv4.blocklist" table persist file "/var/db/pf/crowdsec-ipv6.blocklist" # hygiene scrub in all # blacklistd anchor "blacklistd/*" in on $ext_if # hygiene block in quick log on $ext_if from to any block in quick log on $ext_if from to any block in quick log on $ext_if from to any block return out quick log on $ext_if from any to block drop in quick on $ext_if from to any block drop in quick on $ext_if from to any ---snip--- Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_6cff845e9e81d6cbef5b681e5c006892 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmmPN2sACgkQEg2wmwP4 2IZYpBAAhZPYiBhLfAx0VYK/1ibDq/tdW88SFzxJ9iG4SA63T5EHSRbKTCLfdfsX w5dELGODY5POFSnOYh5li6l4Xyukxvn/Hoopo4OB0xOmg0wkdtbCH5z8kKWIQz+L HyrKteBsRUZFrl92g0J0+R8oZ9jB50bccOBqQWX6i4oKJPAyDKa7PUAMyw87pH0L nhKaJZeLEnq1IovJtvxfWflPT7MXvOKjmExrKhCH1W9Z9TneLXer/2uhGv7pfRLq yY8rhD11AjXNA1B/ZcjRW5HOmJ4BpE0g5SzHD7e+M/RsZuu8W/ql11lrapDaznuK Hb34mXYQ9XUuACNdwZTjKtFA9VdBZtDacXX8ZdpN+dwGpytnH4HiJ21ecDK+lu6E xSd9ennb4Gvb1EHroV4XIsYC7+ecC8TMvuM05YzrIx8ARlR2XfNuz0beIpf7IKl2 0y1cpeuWcABGO9GugWOSnc70bsoM9i1VjHxNc73fEMQP+zZniDlz81B7gIhXInwI fgJXBvprhAhnYg/5eVQ5lF3SCs7t6zhR2eVQstyQlD2xzzORPS6wszLwApIkHGcb H6BPA29Mfuw4I6CN3IBYMcnnOfijMQzBaEvBcKaMwUZrnRyEAYWVmD2bWqgv1054 xPo+dF/saUK9fQW71eKDAUwOvSN9xZQSLExWdaA8k7q7cJCv5FU= =L/yg -----END PGP SIGNATURE----- --=_6cff845e9e81d6cbef5b681e5c006892--