With the recently released FreeBSD 11.1 sshd got linked against blacklistd. Therefore there is a new option in sshd_config: UseBlacklist. Per default it is set to no. Uncomment it, set it to yes and then reload sshd.
The config is in /etc/blacklistd.conf. Usually you define blocking rules in the [local]-section and whitelisting in [remote]. The sample file and the man page are good enough to explain that part.
In addition you need to start the blacklistd-service and enable it in rc.conf or even better in a file in /etc/rc.conf.d.
In /etc/pf.conf you need to add the following line:
anchor "blacklistd/*" in on $ext_if
Then you need to reload pf with the new rule:
pfctl -f /etc/pf.conf
Now blocking should already work. To get the blocked IPs use the following command
If there are IPv6-adresses blocked, you need to add -w, so it is then
If you want to unblock an IP you can look into the tables with pfctl. To see for example the table for sshd, the command is:
pfctl -a blacklistd/22 -t port22 -T show
Now let’s say you want to unblock the IP 184.108.40.206, then you could issue a:
pfctl -a blacklistd/22 -t port22 -T delete 220.127.116.11
This will remove the IP from the table and it is now unblocked. blacklistctl will still show the IP as blocked though. But if the IP tries again to log in and fails often enough, it will get blocked again.