Viewing the Contents of Tables

Aliases and other similar list of addresses are stored in a pf structure called a Table. These tables can be relatively static, as with the bogons list or aliases, or dynamic for things like snort or IP addresses exceeding connection limits. An alias becomes a “Table” once it has been loaded into the firewall ruleset. Tables may contain both IPv4 and IPv6 addresses, and the appropriate addresses are used based on the rules in which the tables are referenced.

The contents of these tables can be viewed at Diagnostics > Tables, which displays system and user-defined tables. On that page, select the desired table from the Table drop-down and the firewall will display its contents. If any alias contains a hostname, the contents of the alias are populated from DNS. Viewing the resulting table here confirms which IP addresses are in the table at that moment.

Individual entries may be removed by clicking fa-trash at the end of their row. Tables which are defined manually or by a file will be refreshed when the system performs a filter reload, so it is best to edit an alias and remove an entry rather than removing it from this page. Removing entries is best used for dynamic tables to remove an entry before it automatically expires.

Default Tables

The firewall includes several tables by default, depending on which features are enabled:

bogons/bogonsv6:
 If any interface is configured with Block Bogon Networks active, these tables will be present on the firewall. An fa-refresh Update button is also presented for the bogon tables that will immediately re-fetch the bogons data rather than waiting for the usual monthly update.
tonatsubnets:When using automatic outbound NAT, this table shows the list of networks for which automatic outbound NAT is being performed. Inspecting the table can aid in diagnosing tricky NAT issues to confirm if a subnet will have automatic outbound NAT applied to its traffic.
snort2c:A dynamic table containing blocked offenders from IDS/IPS packages, Snort and Suricata.
virusprot:A dynamic table containing addresses that have exceeded defined limits on firewall rules.
webConfiguratorlockout:
 A dynamic table containing clients that repeatedly failed GUI login attempts.
sshlockout:Similar to webConfiguratorlockout but used for tracking clients that fail repeated SSH login attempts.