Viewing the Contents of Tables¶
Aliases and other similar list of addresses are stored in a pf
structure
called a Table. These tables can be relatively static, as with the bogons
list or aliases, or dynamic for things like snort or IP addresses exceeding
connection limits. An alias becomes a “Table” once it has been loaded into the
firewall ruleset. Tables may contain both IPv4 and IPv6 addresses, and the
appropriate addresses are used based on the rules in which the tables are
referenced.
The contents of these tables can be viewed at Diagnostics > Tables, which displays system and user-defined tables. On that page, select the desired table from the Table drop-down and the firewall will display its contents. If any alias contains a hostname, the contents of the alias are populated from DNS. Viewing the resulting table here confirms which IP addresses are in the table at that moment.
Individual entries may be removed by clicking at the end of their
row. Tables which are defined manually or by a file will be refreshed when the
system performs a filter reload, so it is best to edit an alias and remove an
entry rather than removing it from this page. Removing entries is best used for
dynamic tables to remove an entry before it automatically expires.
Default Tables¶
The firewall includes several tables by default, depending on which features are enabled:
- bogons/bogonsv6
If any interface is configured with Block Bogon Networks active, these tables will be present on the firewall. An
Update button is also presented for the bogon tables that will immediately re-fetch the bogons data rather than waiting for the usual monthly update.
- tonatsubnets
When using automatic outbound NAT, this table shows the list of networks for which automatic outbound NAT is being performed. Inspecting the table can aid in diagnosing tricky NAT issues to confirm if a subnet will have automatic outbound NAT applied to its traffic.
- snort2c
A dynamic table containing blocked offenders from IDS/IPS packages, Snort and Suricata.
- virusprot
A dynamic table containing addresses that have exceeded defined limits on firewall rules.
- webConfiguratorlockout
A dynamic table containing clients that repeatedly failed GUI login attempts.
- sshlockout
Similar to webConfiguratorlockout but used for tracking clients that fail repeated SSH login attempts.