Firewall Table Contents

The GUI page at Diagnostics > Tables displays the contents of tables defined by the firewall and by users.

The firewall stores aliases and other similar lists of addresses in a pf structure called a table. These tables can be relatively static, such as the bogons list or aliases, or dynamic for things like login protection lockout, IDS/IPS, or IP addresses exceeding connection limits.

An alias becomes a table once the firewall loads it into the ruleset.

If an alias contains a hostname the firewall populates the contents of the alias from the results of resolving hostnames using DNS. It periodically resolves the hostnames again and updates the table accordingly if the addresses change. Given this dynamic nature, viewing the table contents may be necessary to confirm which IP addresses are in a table at a given time.

Viewing Tables

To view the contents of a table:

  • Navigate to Diagnostics > Tables

  • Select the desired table from the Table drop-down

After making a selection the page will update to display the contents of the selected table.

The fa-trash-can icon at the end of each row in the table content removes individual entries from a table. Removing entries is best used for dynamic tables to remove an entry before it automatically expires. Tables defined manually or by a file will be refreshed when the system performs a filter reload, so it is best to edit an alias and remove an entry rather than removing it from this page.

Default Tables

The firewall includes several tables by default, depending on which features are enabled:

bogons/bogonsv6:

If any interface is configured with Block Bogon Networks, these tables will be present.

The page offers an fa-arrows-rotate Update button for the bogon tables which will immediately re-fetch the bogons data rather than waiting for the usual monthly update.

cpzoneid*:

Tables starting with this string are used internally by Captive Portal and are not meant to be managed manually.

negate_networks:

Networks for which the firewall has made policy route negation rules.

snort2c:

A dynamic table containing blocked offenders from IDS/IPS packages, Snort and Suricata.

sshguard:

A dynamic table containing clients that repeatedly failed login attempts for the GUI and SSH.

tonatsubnets:

When using automatic outbound NAT, this table contains the list of networks for which the firewall performs automatic outbound NAT.

Inspecting the table can aid in diagnosing tricky NAT issues to confirm if a subnet will have automatic outbound NAT applied to its traffic.

virusprot:

A dynamic table containing addresses that have exceeded defined limits on firewall rules.

vpn_networks:

A list of remote networks reachable across VPNs.