blacklistd and pf are not blocking

From: Doug Hardie <bc979_at_lafn.org>
Date: Mon, 26 May 2025 04:56:01 UTC 
I have been using blacklistd with web server and postfix for quite awhile.  I haven't tested it till yesterday.  It appears something with pf has changed on the postfix server.  The "bad" IPs are being recorded by blacklistd and they have the proper expiration time.  The IPs are properly in the blacklistd anchor for pf.  However, the connections are not blocked.  They still get through.

The following is an excerpt from pf.conf for the web server where blacklistd is properly blocking IPs.

pass in on $ext_if proto tcp from any to port $WEB
pass in on $ext_if from $local to any
anchor "blacklistd/*" in on $ext_if

LOCAL is my local LAN.  

pfctl reports the rule as:

sermons# pfctl -a blacklistd/80 -t port80 -v -sr
block drop in quick proto tcp from <port80> to any port = http
  [ Evaluations: 28493     Packets: 425       Bytes: 26201       States: 0     ]
  [ Inserted: uid 0 pid 1080 State Creations: 0     ]


The server logs show now entries after the time where the blacklistd entry is created.


The excerpt from the postfix server:

pass in quick inet proto tcp from $LOCAL to any port $SMTP
#       woodpeckers limit at 20/IP or 10/minute - cron purges hourly
block in quick log on $ext_if proto tcp from <woodpeckers> to any port $SMTP
pass in inet proto tcp to any port $SMTP \
        flags S/SA keep state \
        (max-src-conn 20, max-src-conn-rate 10/60, \
        overload <woodpeckers> flush global)

anchor "blacklistd/*" in on $ext_if

I understand that the last matching rule is used in filters.  It seems that the anchor rule should match.  However, it is never called.  The counts are always zero.

mail# pfctl -a blacklistd/25 -t port25 -v -sr
block drop in quick proto tcp from <port25> to any port = smtp
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 506 State Creations: 0     ]

Both systems are:
mail# freebsd-version -ku
14.2-RELEASE-p1
14.2-RELEASE-p3


I don't see any differences in the pf configuration, but one works and the other doesn't.  Any ideas?

-- Doug