I had some trouble to feed fail2ban output to my pf firewall, so here’s my how to:

In short: RTFM! Don’t just copy’n paste configs; don’t mix anchor (new) and tables (old)

  1. pf.conf: delete all those table and rules and just set the anchor anchor "f2b/*"
  2. fail2ban: enable the filters & actions you want (by creating jail.d/*.local files). my bsd-ssh.conf looks like this, I use this as template for other services:
[bsd-sshd]
enabled = true
mode   = extra
filter = bsd-sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 3600
ignoreip = 192.168.0.0/24

you can check with

  • show all anchors: pfctl -a 'f2b/*' -sA
  • show all rules for all anchors: pfctl -a 'f2b/*' -sr
  • show the rules for bsd-sshd: pfctl -a f2b/bsd-sshd -sr
  • show banned IPs for bsd-sshd: pfctl -a f2b/bsd-sshd -t f2b-bsd-sshd -T show
  • bonus: show everything pfctl -a 'f2b/*' -sa