# PF table flush alone



## yagokurt (Jul 19, 2015)

Hi everybody I'm with a problem on my pf I have no idea why or how but from nothing the table just get clear and all IPs blocked can access my page again. Have any config on pf that I'm maybe doing bad that may cause the problem? This is my pf.conf, and this is the command that I use to add IPs to block list. The list was working for something like 30 days without any problem then from nothing it just get clear then I add some IPs again and today (after less than 1 week) it just get clear again.

`pfctl -t abusive_hosts -T add 000.000.000.000`


```
# Change the value to reflect your public interface. You can see this with ifconfig.
ext_if="eth0"

# Ports used for services
service_ports="{ 22, 80 }"

# Ports used by system
sys_ports="{11002}"

# IP addresses that should override the firewall rules, such as your web server.
table <trusted_hosts> const { 175.65.3.19 }

table <abusive_hosts> persist

set block-policy drop
set loginterface $ext_if
set skip on lo

scrub on $ext_if reassemble tcp no-df random-id

antispoof quick for { lo0 $ext_if }

block in

pass out all keep state
pass out on $ext_if all modulate state

pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>

# Allow ping in
pass in inet proto icmp all icmp-type echoreq

# Rate limits, trial and error
pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)

pass in on $ext_if proto {tcp,udp} to any port $sys_ports flags S/SA keep state \
        (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
```
To completely block UDP on the firewall change this line:

```
pass in on $ext_if proto {tcp,udp} to any port $sys_ports flags S/SA keep state
```
to

```
pass in on $ext_if proto tcp to any port $sys_ports flags S/SA keep state
```


----------



## wblock@ (Jul 19, 2015)

The persist keyword needs a filename or it will start out as empty when PF starts again.


----------



## yagokurt (Jul 19, 2015)

About this edition on my post I don't know who did but thank you.
Have any chance that I block my system or my clients connection to the dedicated server making this change?



wblock@ said:


> The persist keyword needs a filename or it will start out as empty when PF starts again.



Thank you wblock@. So should I change

```
table <abusive_hosts> persist
```
to

```
table <abusive_hosts> persist file "/etc/abusive_hosts"
```

That's right?


----------



## wblock@ (Jul 19, 2015)

Yes, that is the first thing to try.  pf.conf(5) does not seem to say that PF updates the file from the in-memory table when it does a clean stop, but I'm pretty sure it does.


----------



## yagokurt (Jul 19, 2015)

wblock@ said:


> Yes, that is the first thing to try.  pf.conf(5) does not seem to say that PF updates the file from the in-memory table when it does a clean stop, but I'm pretty sure it does.




Ok then, I'm going to do that. Thank you wblock@.


----------

