Decisions are not blocked in pf

crowdsec
1

I have installed crowdsec on my server according to this documentation and I wanted to verify that decisions are blocked. To reduce complexity I am using a manual ban

 sudo cscli decisions add --ip 192.168.1.10 --duration 10m
INFO[08-07-2022 04:53:13 PM] Decision successfully added

I can see the decision

 crowdsec-cli decisions list
+---------+----------+------------------+----------------------------------------------------+--------+---------+--------------------------+--------+--------------------+----------+
|   ID    |  SOURCE  |   SCOPE:VALUE    |                       REASON                       | ACTION | COUNTRY |            AS            | EVENTS |     EXPIRATION     | ALERT ID |
+---------+----------+------------------+----------------------------------------------------+--------+---------+--------------------------+--------+--------------------+----------+
| 8270435 | cscli    | Ip:192.168.1.10  | manual 'ban' from                                  | ban    |         |                          |      1 | 9m39.659643051s    |      851 |
|         |          |                  | 'da8adxxxxU4a' |        |         |                          |        |                    |          |

+---------+----------+------------------+----------------------------------------------------+--------+---------+--------------------------+--------+--------------------+----------+

The bouncer is running

 service crowdsec_firewall status
crowdsec_firewall is running as pid 95837.

The pf-table is installed and already filled with central decissions

pfctl -t pfbadhost -T show | wc -l
   25758

I would expect that I can now find my banned ip in the pf firewall table

pfctl -t pfbadhost -T show | grep '192.168.1.10'

but no results. Also other public ips that are causing a decision are not blocked.

Where is my mistake?

2

Hello,

I see no mistake in how you explain you are proceeding.
Would you be able to reproduce and share the logs of the bouncer? We should see the bouncer saying that it’s inserting new entries in the pf tables. (I don’t have a FreeBSD at hand to try it)

3

ok. if found my mistake. I was searching in the wrong pf table

 pfctl -t crowdsec-blacklists -T show | grep '192.168'
   192.168.1.10

table pfbadhost was filed by pf-badhosts