Dangling states problem
Amin Saba
amn.brhm.sb at gmail.com
Sun Jun 5 11:48:14 UTC 2016
*Dangling states problem*: pf consults its state table before the rule set
(as it should). So even after adding a rule to block certain connections,
the ones that have a corresponding entry in the state table will continue
uninterrupted.
AFAIK, pf does not have any built-in/native mechanism to
*automatically* terminate
states that go against the current rule set.
Sifting through the states and manually "pfctl -k"ing unwanted states does
not look like a sustainable solution to this problem.
I am writing a python script to automate this process, as much as possible.
My questions are:
Do you know any other projects aiming at this?
Is there anything on the roadmap for the pf project to address this issue?
Are there any major road blocks to implementing this directly in pf?
Can someone shed more light on this, please?
Thanks.
More information about the freebsd-pf
mailing list