Can't kill connections
Marcin Wisnicki
mwisnicki+freebsd at gmail.com
Sun Jul 1 20:03:29 UTC 2012
On Sun, Jul 1, 2012 at 9:31 PM, Jason Hellenthal <jhellenthal at dataix.net> wrote:
>
> Press 5 -or- 6 after firing up pftop and see which rule is counting
> upward that is accepting this traffic.
>
I've found it! They were passed via "rdr pass" rules under "miniupnpd" anchor.
Unfortunately pftop does not show nat/rdr rules.
> On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote:
>> I'm trying to kill all connections to/from certain host after reloading
>> ruleset to force it to go through new ruleset but it does not seem to work.
>>
>> My host is a simple gateway with $if_ext being natted to $if_int.
>>
>> I put this rule as the first filter rule:
>>
>> block log quick on $if_ext label "block-ext"
>>
>> Which should prevent any connection from reaching internet.
>> State policy is set to if-bound.
>>
>> Then I kill existing states (tcp and udp):
>>
>> pfctl -k $host && pfctl -k 0/0 -k $host
>> pfctl -k $gateway && pfctl -k 0/0 $gateway
>>
>> The states are killed and disappear from pftop but immediately new
>> connections get through as if rule "block-ext" didn't exist.
>>
>> These new states have high rule numbers that correspond to pass rules on
>> $if_int.
>>
>> How is this possible when "block-ext" should block everything ?
>>
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
> --
>
> - (2^(N-1))
More information about the freebsd-pf
mailing list