#parser #logging #free-bsd #nginx #regex #firewall #pf #macos #openbsd #poc

bin+lib pff

pf filter - parse Nginx access.log for unwanted regexp patterns, and block them on the PF firewall

5 unstable releases

0.4.0 Apr 21, 2023
0.3.3 Oct 6, 2022
0.3.2 Jun 18, 2022
0.3.0 May 16, 2022
0.2.0 May 13, 2022

MIT license

454 lines

PFF - PF-Filter. Designed for FreeBSD, OpenBSD and MacOS


  • Daniel (dmilith) Dettlaff (@dmilith)


This is a cli application that parses Nginx access.log for unwanted regexp patterns, which are later added to the blocked list of PF firewall.


  • Precompiled, configurable Regexps (wanted and unwanted)
  • Configurable buffer (if 0 then whole access.log is parsed each run, if specified will determine of how much of the log tail gets parsed)
  • Follows simple rule, that if access.log line is matching the "wanted" regexp it's not checked further, when is matching "unwanted" regexp it's considered malicious and will be added to the firewall block

Shell environment variables

Increase log verbosity:

LOG=debug cargo run


If no configuration is found in default paths, the local "pff.conf" will be created with default configuration. The file is stored in the RON format.

Installation details:

  1. Pff assumes that the /etc/pf.conf contains the block list like this:
table <blocked> persist file "/etc/spammers"
block drop in quick from <blocked>
block drop out quick to <blocked>
  1. Pff assumes that /etc/spammers is writable and user is root. On MacOS sudo is used to reload PF as a regular user.


  • Released under the BSD license.


~164K SLoC