Issue with PF on FreeBSD 6.2.5?
David DeSimone
fox at verio.net
Fri Jul 6 06:50:44 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Laurent LEVIER <llevier at argosnet.com> wrote:
>
> Still wondering what to do if the host keeps being in the list.
> I cant endlessly do a -k while host does not disappear...
What might be happening is that the initial packet passing through PF is
going in the opposite direction than expected. This establishes the
state with the source/destination reversed.
pfctl -k removes state entries by destination IP. If the state entry
has your target IP as the source, you have to use the "-k -k" option,
where you specify both source and destination IP's to be removed.
There is probably a good way to integrate this into your scripts so that
you don't have to perform the state removal manually; it can be done by
the same script that is removing anchors from PF policy and such.
- --
David DeSimone == Network Admin == fox at verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGjeY8FSrKRjX5eCoRAtJjAJ9u4wBKI4r/pTXTLaGAYXTL///iwwCfd1XM
uiLuFtK1NLqaTmj4dWtsjXI=
=6sB9
-----END PGP SIGNATURE-----
More information about the freebsd-pf
mailing list