1. Forum
  2. USENET
  3. muc.lists.freebsd.ports

  • Re: pf not blocking fail2ban-ned IPs

    From DutchDaemon - FreeBSD Forums Administrator@DutchDaemon@FreeBSD.org to muc.lists.freebsd.ports on Sun May 10 11:14:08 2026
    From Newsgroup: muc.lists.freebsd.ports


    On May 10, 2026 10:27:36 AM GMT+02:00, Xavier Humbert <xavier@groumpf.org> wrote:
    Hi,

    pf does not block IPs from the fail2ban table :

    [root@numenor ~]# pfctl -s rules
    block drop in all
    pass in proto tcp from any to any port = ssh flags S/SA keep state
    pass in proto tcp from any to any port = smtp flags S/SA keep state
    pass in proto tcp from any to any port = submission flags S/SA keep state pass in proto tcp from any to any port = smtps flags S/SA keep state
    pass in proto tcp from any to any port = imap flags S/SA keep state
    pass in proto tcp from any to any port = imaps flags S/SA keep state
    pass in proto tcp from any to any port = http flags S/SA keep state
    pass in proto tcp from any to any port = https flags S/SA keep state
    pass in proto tcp from any to any port = domain flags S/SA keep state
    pass in proto tcp from any to any port = 2222 flags S/SA keep state
    pass in proto udp from any to any port = domain keep state
    pass in proto udp from any to any port = ntp keep state
    pass out all flags S/SA keep state
    pass inet proto icmp all icmp-type echoreq keep state
    pass log quick proto tcp from any to any port = 2222 flags S/SA keep state pass log quick proto tcp from any to any port = http flags S/SA keep state block drop quick on igb0 inet6 proto tcp from <fail2ban> to fe80::d250:99ff:fec1:1279 port = 2222
    block drop quick inet6 proto tcp from <fail2ban> to 2a01:xxxx:xxxx:xxxx::144 port = 2222
    block drop quick inet proto tcp from <fail2ban> to 192.168.100.144 port = 2222

    [root@numenor ~]# pfctl -t fail2ban -T show
    -a -a188.127.181.142

    But this IP continues to knock at my SSH port :

    May 10 10:16:51 numenor sshd-session[14184]: Connection from 188.127.181.142 port 26447 on 192.168.100.144 port 2222
    May 10 10:16:51 numenor sshd-session[14184]: Invalid user testenv from 188.127.181.142 port 26447
    May 10 10:16:51 numenor sshd-session[14184]: Connection reset by invalid user testenv 188.127.181.142 port 26447 [preauth]

    Did I miss something ?

    Regards,

    Xavier
    You're doing a 'pass log quick' to port 2222, and the 'quick' keyword skips further processing.
    --
    Posted automagically by a mail2news gateway at muc.de e.V.
    Please direct questions, flames, donations, etc. to news-admin@muc.de
    --- Synchronet 3.22a-Linux NewsLink 1.2