Notes on OS intalls
git clone
Log | Files | Refs | LICENSE

commit e7262d2eea3e41eb401166acdbc8be6c2e323211
parent c2f377beca81726251feeb15eb5e873327e891ec
Author: Chris Bracken <>
Date:   Sat, 10 Jul 2021 11:59:39 -0700

FreeBSD: Add blacklistd_flags

Unclear whether starting with -r is required, but every example I see
where blacklistd is used with pf includes it. The manpage isn't as clear
as it could be with regards to what's actually happening under the hood

Diffstat: | 11++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ b/ @@ -523,8 +523,8 @@ To run a check on our config file without yet applying it: Next, we'll start `pf`, but since many a system administrator has found themselves locked out of their own server by applying a bad config, it's useful to queue up a command to disable the firewall after two minutes. -In another terminal, log into the remote machine, get a root shell using -`sudo -s`, then run the following: +In another terminal, log into the remote machine, get a *root* shell +using `sudo -s`, then run the following: # Sleep 2 minutes, then disable pf. sleep 120; pfctl -d @@ -573,9 +573,14 @@ First, we'll add a pf anchor for blacklistd blocks in `/etc/pf.conf`: anchor "blacklistd/*" in on $ext_if -Next we'll enable it on boot. Add the following line to `/etc/rc.conf`: +Next we'll enable it on boot. We start the daemon with the `-r` flag, which +tells it to re-read the firewall rules from the internal database and remove +then re-add them; this is useful for packet filters that don't retain state +across restarts, though it's unclear to me whether this is the case for `pf`. +Add following lines to `/etc/rc.conf`: blacklistd_enable="YES" + blacklistd_flags="-r" Nest, start the blacklistd service: