Re: pf not blocking fail2ban-ned IPs

Sun, 10 May 2026 02:14:33 -0700 


On May 10, 2026 10:27:36 AM GMT+02:00, Xavier Humbert <[email protected]> 
wrote:
> Hi,
> 
> pf does not block IPs from the fail2ban table :
> 
> [root@numenor ~]# pfctl -s rules
> block drop in all
> pass in proto tcp from any to any port = ssh flags S/SA keep state
> pass in proto tcp from any to any port = smtp flags S/SA keep state
> pass in proto tcp from any to any port = submission flags S/SA keep state
> pass in proto tcp from any to any port = smtps flags S/SA keep state
> pass in proto tcp from any to any port = imap flags S/SA keep state
> pass in proto tcp from any to any port = imaps flags S/SA keep state
> pass in proto tcp from any to any port = http flags S/SA keep state
> pass in proto tcp from any to any port = https flags S/SA keep state
> pass in proto tcp from any to any port = domain flags S/SA keep state
> pass in proto tcp from any to any port = 2222 flags S/SA keep state
> pass in proto udp from any to any port = domain keep state
> pass in proto udp from any to any port = ntp keep state
> pass out all flags S/SA keep state
> pass inet proto icmp all icmp-type echoreq keep state
> pass log quick proto tcp from any to any port = 2222 flags S/SA keep state
> pass log quick proto tcp from any to any port = http flags S/SA keep state
> block drop quick on igb0 inet6 proto tcp from <fail2ban> to 
> fe80::d250:99ff:fec1:1279 port = 2222
> block drop quick inet6 proto tcp from <fail2ban> to 2a01:xxxx:xxxx:xxxx::144 
> port = 2222
> block drop quick inet proto tcp from <fail2ban> to 192.168.100.144 port = 2222
> 
> [root@numenor ~]# pfctl -t fail2ban -T show
>    188.127.181.142
> 
> But this IP continues to knock at my SSH port :
> 
> May 10 10:16:51 numenor sshd-session[14184]: Connection from 188.127.181.142 
> port 26447 on 192.168.100.144 port 2222
> May 10 10:16:51 numenor sshd-session[14184]: Invalid user testenv from 
> 188.127.181.142 port 26447
> May 10 10:16:51 numenor sshd-session[14184]: Connection reset by invalid user 
> testenv 188.127.181.142 port 26447 [preauth]
> 
> Did I miss something ?
> 
> Regards,
> 
> Xavier

You're doing a 'pass log quick' to port 2222, and the 'quick' keyword skips 
further processing. 















    











					Reply via email to