Q. How do I filter larger number of subnets and IPs using OpenBSD’s pf firewall under FreeBSD 7.x server? How do I log all dropped packets from such ips? How do I block upto 10000 IPs or subnet without any performance penalty?

A. You can easily filter large number of IPs or subnets using pf firewall. PF provides tables to hold large number of IPv4 and IPv6 address. Lookups against a table are very fast and consume less memory and processor time. Tables are created in pf.conf file. Tables can also be populated from text files containing a list of IP addresses and networks.

How do I configure tables to drop large number of IPs?

Open pf.conf file, enter:
# vi /etc/pf.conf
Add following code:
table <blockedips> persist file "/etc/pf.blocked.ip.conf"
ext_if="em1" # interface connected to internet

Add following code to drop and log all ips / subnet listed in /etc/pf.blocked.ip.conf, file
block drop in log (all) quick on $ext_if from <blockedips> to any
Save and close the file. Now create file /etc/pf.blocked.ip.conf file using vi text editor, enter:
vi /etc/pf.blocked.ip.conf
Sample output:

The file /etc/pf.blocked.ip.conf should contain a list of IP addresses and/or CIDR network blocks, one per line. Any line beginning with # is treated as a comment and ignored by pf. To load new rules, simply type:
# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf

How do I view all IP address listed in tables?

Type the following command
# pfctl -t blockedips -T show
Sample output:

How do I add subnet called on the fly?

Use pfctl command itself, to add CIDR or IP on fly, enter:
# pfctl -t blockedips -T add
# pfctl -t blockedips -T add

How do I delete subnet called on the fly?

Type the command as follows:
# pfctl -t blockedips -T delete
Please note that all changes made using pfct are dynamic. You need to update your file on disk to save the changes.

How do I see statistics for each IP / CIDR?

The -v option can display statistics for each table entry (IP/CIDR), enter:
# pfctl -t blockedips -T show -v
Sample output:
        Cleared:     Thu Jul 10 03:01:01 2008
        In/Block:    [ Packets: 0                  Bytes: 0                  ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]
        Cleared:     Thu Jul 10 03:01:01 2008
        In/Block:    [ Packets: 0                  Bytes: 0                  ]
        In/Pass:     [ Packets: 0                  Bytes: 0                  ]
        Out/Block:   [ Packets: 0                  Bytes: 0                  ]
        Out/Pass:    [ Packets: 0                  Bytes: 0                  ]

How do I view log of dropped IP from default /var/log/pflog file?

Use tcpdump command to read a log file:
# tcpdump -n -e -ttt -r /var/log/pflog
# tcpdump -n -e -ttt -r /var/log/pflog port 80
# tcpdump -n -e -ttt -r /var/log/pflog and host

You can also view log in real time, enter:
# tcpdump -n -e -ttt -i pflog0
# tcpdump -n -e -ttt -i pflog0 port 80
# tcpdump -n -e -ttt -i pflog0 host

Further readings:

  • man pages – pf.conf, pfctl, tcpdump, pf

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • shake faidzal Nov 27, 2008 @ 3:30

    i’ve tried the command lines n created the table as ordered, however it doesn’t block the ip’s that i want to filter from access outside internet. FYI, “pfctl -t blockedips -T show” does show the list of ip’s that i key-in. really apreciate if u could spare me some ideas..tq

  • Ray Jan 12, 2009 @ 2:28

    I’ve also tried using the above but the IP’s aren’t being blocked. Any ideas?

  • CDSU Apr 16, 2009 @ 15:41

    You have to enable PF first. there are several steps needed in order to complete this task. It may include rebuilding the kernel and adding some options. FreeBSD 7.x or better should have pf enabled in the kernel. the following steps need to be made in order to get pf working
    1. edit the /etc/rc.conf file and add the following
    pf_enable=”YES” # Enable PF (load module if required)
    pf_rules=”/etc/pf.conf” # rules definition file for pf
    pf_flags=”” # additional flags for pfctl startup
    pflog_enable=”YES” # start pflogd(8)
    pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
    pflog_flags=”” # additional flags for pflogd startup’

    if you cannot afford to reboot the device you can enable and disable via CLI

    pfctl -d Disable the packet filter.

    pfctl -e Enable the packet filter.

    it is always good to test your rules before you go live.


  • ko Sep 18, 2012 @ 6:39

    block drop in log (all) quick on $ext_if from to any

    should be write in pf.conf

    It works fine with openBSD also

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum