From Newsgroup: muc.lists.freebsd.ports
On May 10, 2026 10:27:36 AM GMT+02:00, Xavier Humbert <
xavier@groumpf.org> wrote:
Hi,
pf does not block IPs from the fail2ban table :
[root@numenor ~]# pfctl -s rules
block drop in all
pass in proto tcp from any to any port = ssh flags S/SA keep state
pass in proto tcp from any to any port = smtp flags S/SA keep state
pass in proto tcp from any to any port = submission flags S/SA keep state pass in proto tcp from any to any port = smtps flags S/SA keep state
pass in proto tcp from any to any port = imap flags S/SA keep state
pass in proto tcp from any to any port = imaps flags S/SA keep state
pass in proto tcp from any to any port = http flags S/SA keep state
pass in proto tcp from any to any port = https flags S/SA keep state
pass in proto tcp from any to any port = domain flags S/SA keep state
pass in proto tcp from any to any port = 2222 flags S/SA keep state
pass in proto udp from any to any port = domain keep state
pass in proto udp from any to any port = ntp keep state
pass out all flags S/SA keep state
pass inet proto icmp all icmp-type echoreq keep state
pass log quick proto tcp from any to any port = 2222 flags S/SA keep state pass log quick proto tcp from any to any port = http flags S/SA keep state block drop quick on igb0 inet6 proto tcp from <fail2ban> to fe80::d250:99ff:fec1:1279 port = 2222
block drop quick inet6 proto tcp from <fail2ban> to 2a01:xxxx:xxxx:xxxx::144 port = 2222
block drop quick inet proto tcp from <fail2ban> to 192.168.100.144 port = 2222
[root@numenor ~]# pfctl -t fail2ban -T show
-a -a188.127.181.142
But this IP continues to knock at my SSH port :
May 10 10:16:51 numenor sshd-session[14184]: Connection from 188.127.181.142 port 26447 on 192.168.100.144 port 2222
May 10 10:16:51 numenor sshd-session[14184]: Invalid user testenv from 188.127.181.142 port 26447
May 10 10:16:51 numenor sshd-session[14184]: Connection reset by invalid user testenv 188.127.181.142 port 26447 [preauth]
Did I miss something ?
Regards,
Xavier
You're doing a 'pass log quick' to port 2222, and the 'quick' keyword skips further processing.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to
news-admin@muc.de
--- Synchronet 3.22a-Linux NewsLink 1.2