How to Block IP Addresses with PF on FreeBSD Operating System

FreeBSD is a powerful and versatile operating system known for its robustness, security, and performance. One of the key features that contribute to its security capabilities is the Packet Filter (PF), a stateful firewall developed for OpenBSD and later ported to FreeBSD. PF allows system administrators to manage network traffic, filter packets, and block unwanted connections effectively. In this article, we will explore how to block IP addresses using PF on FreeBSD, providing a step-by-step guide to help you secure your system.

Understanding PF (Packet Filter)

PF is a powerful firewall tool that provides a wide range of features, including packet filtering, network address translation (NAT), traffic shaping, and more. It operates at the kernel level, making it highly efficient and capable of handling large volumes of traffic. PF uses a configuration file, typically located at /etc/pf.conf, where administrators define rules to control network traffic.

Before diving into blocking IP addresses, it is essential to understand some basic concepts of PF:

1. Ruleset: A collection of rules that define how packets should be handled. These rules are processed in order, and the first matching rule determines the action taken.

2. Tables: PF allows the use of tables to store lists of IP addresses, networks, or other data. Tables are useful for managing large sets of data efficiently.

3. Actions: PF supports several actions, such as pass (allow traffic), block (deny traffic), and drop (silently discard traffic).

4. Stateful Filtering: PF maintains state information about active connections, allowing it to make intelligent decisions based on the context of the traffic.

Prerequisites

Before proceeding, ensure that you have the following:

• A FreeBSD system with root or superuser access.

• PF enabled and running on your system. If PF is not enabled, you can enable it by adding the following line to /etc/rc.conf:

  pf_enable="YES"
  

  Then, start the PF service:

  service pf start
  

• Basic knowledge of FreeBSD command-line operations and text editing (e.g., using vi or nano).

Step 1: Editing the PF Configuration File

The primary configuration file for PF is /etc/pf.conf. This file contains the ruleset that defines how PF should handle network traffic. To block IP addresses, you will need to edit this file and add the appropriate rules.

1. Open the PF configuration file in your preferred text editor:

   sudo vi /etc/pf.conf
   

2. Before making any changes, it is a good practice to back up the existing configuration file:

   sudo cp /etc/pf.conf /etc/pf.conf.backup
   

Step 2: Creating a Table for Blocked IP Addresses

PF allows you to use tables to manage lists of IP addresses efficiently. Instead of adding individual rules for each IP address, you can create a table to store all the IP addresses you want to block.

1. Add the following line to /etc/pf.conf to create a table named blocked_ips:

   table <blocked_ips> persist
   

   The persist keyword ensures that the table is preserved across reboots.

2. Populate the table with the IP addresses you want to block. For example:

   table <blocked_ips> { 192.168.1.100, 203.0.113.50, 198.51.100.25 }
   

   You can add as many IP addresses as needed, separated by commas.

Step 3: Adding Blocking Rules

Once the table is created, you need to add rules to block traffic from the IP addresses listed in the table.

1. Add the following rule to /etc/pf.conf to block all traffic from the IP addresses in the blocked_ips table:

   block drop in quick on $ext_if from <blocked_ips> to any
   

   • block drop: This action blocks and drops the traffic (no response is sent to the sender).
   • in: This specifies that the rule applies to incoming traffic.
   • quick: This ensures that the rule is applied immediately without evaluating further rules.
   • $ext_if: This is the external network interface. Replace $ext_if with the actual name of your external interface (e.g., em0 or vtnet0).
   • from <blocked_ips>: This specifies that the rule applies to traffic originating from the IP addresses in the blocked_ips table.
   • to any: This specifies that the rule applies to traffic destined for any IP address.

2. If you want to block traffic in both directions (incoming and outgoing), you can add a similar rule for outgoing traffic:

   block drop out quick on $ext_if from any to <blocked_ips>
   

Step 4: Reloading the PF Configuration

After making changes to the PF configuration file, you need to reload the ruleset for the changes to take effect.

1. Reload the PF configuration:

   sudo pfctl -f /etc/pf.conf
   

2. Verify that the rules have been loaded successfully:

   sudo pfctl -s rules
   

   This command displays the currently loaded rules. Ensure that your blocking rules are listed.

Step 5: Managing the Blocked IP Addresses

Over time, you may need to add or remove IP addresses from the blocked_ips table. PF provides commands to manage tables dynamically without reloading the entire ruleset.

1. To add an IP address to the blocked_ips table:

   sudo pfctl -t blocked_ips -T add 192.168.1.101
   

2. To remove an IP address from the blocked_ips table:

   sudo pfctl -t blocked_ips -T delete 192.168.1.101
   

3. To view the contents of the blocked_ips table:

   sudo pfctl -t blocked_ips -T show
   

Step 6: Testing the Configuration

After blocking IP addresses, it is essential to test the configuration to ensure that the rules are working as expected.

1. Attempt to connect to your FreeBSD system from a blocked IP address. The connection should be dropped, and no response should be received.

2. Use tools like ping or nmap to test the blocking rules:

   ping -c 4 192.168.1.100
   

   If the IP address is blocked, the ping requests should time out.

3. Check the PF logs for any blocked traffic:

   sudo pfctl -s info
   

   The logs will show statistics on blocked packets, helping you verify that the rules are effective.

Advanced Considerations

While the basic blocking rules described above are sufficient for most use cases, there are some advanced considerations to keep in mind:

1. Rate Limiting: If you want to block IP addresses that exceed a certain rate of connection attempts, you can use PF’s overload feature. For example:

   block drop in quick on $ext_if from <blocked_ips> to any overload
   

   This will block IP addresses that exceed the default rate limit.

2. Logging: You can log blocked traffic for further analysis by adding the log keyword to the blocking rule:

   block drop in log quick on $ext_if from <blocked_ips> to any
   

   The logs can be viewed using tcpdump or other log analysis tools.

3. Dynamic Blocking: For more dynamic blocking, you can use tools like fail2ban or sshguard to automatically add IP addresses to the blocked_ips table based on failed login attempts or other criteria.

4. IPv6 Support: If your network supports IPv6, ensure that your blocking rules account for both IPv4 and IPv6 addresses. You can create separate tables for IPv4 and IPv6 addresses or use a single table that supports both.

Conclusion

Blocking IP addresses with PF on FreeBSD is a straightforward yet powerful way to enhance the security of your system. By leveraging PF’s tables and rules, you can efficiently manage and block unwanted traffic, protecting your system from potential threats. Whether you are dealing with a few problematic IP addresses or managing a large list of blocked hosts, PF provides the flexibility and performance needed to keep your network secure.

Remember to test your configuration thoroughly and monitor the PF logs to ensure that your blocking rules are effective. With the right setup, PF can serve as a robust firewall solution, helping you maintain a secure and reliable FreeBSD environment.