Can't kill connections
Marcin Wisnicki
mwisnicki+freebsd at gmail.com
Sun Jul 1 18:34:37 UTC 2012
I'm trying to kill all connections to/from certain host after reloading
ruleset to force it to go through new ruleset but it does not seem to work.
My host is a simple gateway with $if_ext being natted to $if_int.
I put this rule as the first filter rule:
block log quick on $if_ext label "block-ext"
Which should prevent any connection from reaching internet.
State policy is set to if-bound.
Then I kill existing states (tcp and udp):
pfctl -k $host && pfctl -k 0/0 -k $host
pfctl -k $gateway && pfctl -k 0/0 $gateway
The states are killed and disappear from pftop but immediately new
connections get through as if rule "block-ext" didn't exist.
These new states have high rule numbers that correspond to pass rules on
$if_int.
How is this possible when "block-ext" should block everything ?
More information about the freebsd-pf
mailing list