PF issue since 11.2-RELEASE

Kristof Provost kristof at
Sun Feb 3 15:26:57 UTC 2019

On 1 Feb 2019, at 10:33, ASV wrote:
> On Thu, 2019-01-31 at 22:00 +0100, Kristof Provost wrote:
>> On 31 Jan 2019, at 12:11, ASV wrote:
>>> Good afternoon,
>>> one good news and one bad news.
>>> Good news is that it was that bloody zero missing which was
>>> "freaking
>>> out" PF during the reload. How could I missed that? Perhaps
>>> erroneously
>>> removed during the upgrade somehow or it was there but not causing
>>> problems?! I'll never know. But it's fixed so thank you very much
>>> for
>>> the good catch!
>>> The bad news is that PF is still not enforcing the rules within the
>>> anchors. So fail2ban keeps populating the tables where the
>>> previously
>>> mentioned rules are in place (reposted below) but these IPs keeps
>>> bombing me with connection attempts passing the firewall with no
>>> problems at all. Killing the states, reloading, restarting (PF and
>>> fail2ban) doesn't fix that.
>>> # pfctl -a f2b/asterisk-udp -t f2b-asterisk-udp -s rules
>>> block drop quick proto udp from <f2b-asterisk-udp> to any port =
>>> sip
>>> block drop quick proto udp from <f2b-asterisk-udp> to any port =
>>> sip-tls
>>> # pfctl -a f2b/asterisk-tcp -t f2b-asterisk-tcp -s rules
>>> block drop quick proto tcp from <f2b-asterisk-tcp> to any port =
>>> sip
>>> block drop quick proto tcp from <f2b-asterisk-tcp> to any port =
>>> sip-tls
>> I don’t use anchors myself, but don’t you need to call them from your
>> main ruleset?
> Anchors are called and the blocking rule is set within:
> anchor f2b {
>         anchor asterisk {
>                 block in quick log to any
>         }
> }
You have to ‘anchor "f2b/*”’ in your main ruleset to get anchor ‘f2b/asterisk-tcp’ to be used.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 903 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the freebsd-questions mailing list