# Pf.conf block to self



## hac3ru (Nov 12, 2013)

Hello. I want to restrict some IPs access to my network. The setup is this:

Internet -> FreeBSD server -> Internal network.
I want to restrict the access to the server from some IP's. What I tried:

```
Block drop quick on $ext_if from <BlockedIPs> to any #I also tried to replace any with self. No luck
```
 It didn't work.

```
block drop in quick on $ext_if from <blockedIPs> to any
block drop out quick on $ext_if from any to <blockedIPs>
```
It didn't work... Anyone got any ideas?


----------



## plamaiziere (Nov 12, 2013)

hac3ru said:
			
		

> It didn't work... Anyone got any ideas?



What do you mean by it didn't work? Is PF enabled (`pfctl -si`)? Also check the rules loaded with `pfctl -sr` (show rules)

edit: try to load the rules by hand in verbose mode `pfctl -f /etc/pf.conf -vvv`


----------



## hac3ru (Nov 13, 2013)

Didn't work means that the blockedIPs can still connect to the server.

The rules seem to be loaded:

```
block drop quick inet from blockedIPs_table to self_address
```
The pf.conf is enabled  Any other ideas?


----------



## gkontos (Nov 13, 2013)

Make sure that your block statement is before the pass and you are good to go.


```
...
table <blocked_ips> file "/etc/blocked_ips"
...
block in log quick from <blocked_ips>
```


----------



## hac3ru (Nov 13, 2013)

gkontos said:
			
		

> Make sure that your block statement is before the pass and you are good to go.
> 
> 
> ```
> ...



It is on the last line. It's not working  I haven't used a file. I just created a table "by hand"

```
table <blockedIPs> { x.x.x.x, y.y.y.y}
```
 and so on

The thing is that someone is trying to access the server through SSH. Brute forcing its entry. And I want to deny its connections.


----------



## kpa (Nov 13, 2013)

Post the output of `pfctl -sr`.  Without seeing what the actual rules that are in effect are it's impossible to even begin to guess what is wrong.


----------



## hac3ru (Nov 13, 2013)

While reading through `pfctl -sr` I found 
	
	



```
pass in quick proto tcp from any to self port ssh
```
That "pass in quick" overwrites my newly written rule so removing "quick" should be good. I'll reload the firewall now and see what happens


----------



## inky (Nov 23, 2013)

*I*t's just for the SSH daemon. not for any services. *J*ust post us your pf.conf and we will be able to help you. *T*hink you have a problem with the order of rules or the naming of tables.


----------

