PF firewall – Simple IP block

The easiest way to block IP addresses in a system with PF firewall is to create a persistent block table, and then just interact with the table.

In /etc/pf.conf

table <badhosts> persist

set skip on lo0
scrub in all

block in quick from <badhosts> to any
pass all

Each packet is evaluated against the filter ruleset from top to bottom. By default, the packet is marked for passage, which can be changed by any rule, and could be changed back and forth several times before the end of the filter rules. The last matching rule wins, but there is one exception to this: The quick option on a filtering rule has the effect of canceling any further rule processing and causes the specified action to be taken.

OpenBSD PF – Packet Filtering

Load ruleset

pfctl -f /etc/pf.conf

Add addresses

pfctl -t badhosts -T add 1.2.3.4
pfctl -t badhosts -T add 2.3.4.5

Show addresses

pfctl -t badhosts -T show

Delete an address

pfctl -t badhosts -T delete 1.2.3.4

Delete all adresses

pfctl -t badhosts -T flush

And remember boys and girls, 30 minutes poking with commands can save you 3 minutes of documentation reading….

Leave a Reply