Can't kill connections
Jason Hellenthal
jhellenthal at dataix.net
Sun Jul 1 19:31:58 UTC 2012
Press 5 -or- 6 after firing up pftop and see which rule is counting
upward that is accepting this traffic.
On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote:
> I'm trying to kill all connections to/from certain host after reloading
> ruleset to force it to go through new ruleset but it does not seem to work.
>
> My host is a simple gateway with $if_ext being natted to $if_int.
>
> I put this rule as the first filter rule:
>
> block log quick on $if_ext label "block-ext"
>
> Which should prevent any connection from reaching internet.
> State policy is set to if-bound.
>
> Then I kill existing states (tcp and udp):
>
> pfctl -k $host && pfctl -k 0/0 -k $host
> pfctl -k $gateway && pfctl -k 0/0 $gateway
>
> The states are killed and disappear from pftop but immediately new
> connections get through as if rule "block-ext" didn't exist.
>
> These new states have high rule numbers that correspond to pass rules on
> $if_int.
>
> How is this possible when "block-ext" should block everything ?
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
--
- (2^(N-1))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20120701/2729220e/attachment.pgp
More information about the freebsd-pf
mailing list