From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 18:34:37 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 454971065670 for ; Sun, 1 Jul 2012 18:34:37 +0000 (UTC) (envelope-from gofdp-freebsd-pf@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 01D168FC1B for ; Sun, 1 Jul 2012 18:34:37 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1SlOyb-0007fn-4E for freebsd-pf@freebsd.org; Sun, 01 Jul 2012 20:34:29 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 01 Jul 2012 20:34:29 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 01 Jul 2012 20:34:29 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-pf@freebsd.org From: Marcin Wisnicki Date: Sun, 1 Jul 2012 18:34:18 +0000 (UTC) Lines: 24 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.134 (Wait for Me; Unknown) Subject: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 18:34:37 -0000 I'm trying to kill all connections to/from certain host after reloading ruleset to force it to go through new ruleset but it does not seem to work. My host is a simple gateway with $if_ext being natted to $if_int. I put this rule as the first filter rule: block log quick on $if_ext label "block-ext" Which should prevent any connection from reaching internet. State policy is set to if-bound. Then I kill existing states (tcp and udp): pfctl -k $host && pfctl -k 0/0 -k $host pfctl -k $gateway && pfctl -k 0/0 $gateway The states are killed and disappear from pftop but immediately new connections get through as if rule "block-ext" didn't exist. These new states have high rule numbers that correspond to pass rules on $if_int. How is this possible when "block-ext" should block everything ?