From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 19:31:58 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89A6A106564A for ; Sun, 1 Jul 2012 19:31:58 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3003E8FC15 for ; Sun, 1 Jul 2012 19:31:58 +0000 (UTC) Received: by ghbz22 with SMTP id z22so4404314ghb.13 for ; Sun, 01 Jul 2012 12:31:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=rsa; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=GV/l0A6JLlw4GGndtV3ewLAJSz8r1Cc1NJH1JAFUbr0=; b=T6B5NnKhAHFiY6u8sMPkWttczIIHtCHEGeim+qF2WO2WaiWqljw0tkpIfHEDeKON8G Fn/ej2XYlWyzHeB47S8mJpYivOiCMZ7ryEELx41zBJPdJYurCUw0RyFeVgnyPp04Aj4s I06TW+JQBrIzWSjT6Tt1b3WPWtVvqHXWdfht4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-gm-message-state; bh=GV/l0A6JLlw4GGndtV3ewLAJSz8r1Cc1NJH1JAFUbr0=; b=gQKA9iywsGbIDEdwa6zUQMFTNIl9xtgX3sHseahR1Ycwoimj1gglvAgIhnzxsLDSC5 xLHzaT9cuIj7FyrXLliGzb4MolRYZ7LoaXMjD8VIb6YisU57SgPLj0NpQVSHXtUJIgWA Omd74u8v3OMJXEVBJMF9VuJONufH8x65hiMUVYsmqOyGgab9uomzwNHbM1PXrsepicZl M/nUXfwYaRyTION1nZ/+I5CYImXMYAk6rxCuB0l3+iUUENLtRj/ZAgoUtdD9Ebzco6Ex V/v39vny57zYszn3WfN6D5nKiAcCHeMsUurfJ9VfxAMI7TK+oGqzrtZGGlzLiThRijFO yBig== Received: by 10.42.41.11 with SMTP id n11mr4767012ice.13.1341171117334; Sun, 01 Jul 2012 12:31:57 -0700 (PDT) Received: from DataIX.net (75-128-120-86.dhcp.aldl.mi.charter.com. [75.128.120.86]) by mx.google.com with ESMTPS id bo7sm15359280igb.2.2012.07.01.12.31.56 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 01 Jul 2012 12:31:56 -0700 (PDT) Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id q61JVrj2078659 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 1 Jul 2012 15:31:53 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Received: (from jh@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id q61JVrll078649; Sun, 1 Jul 2012 15:31:53 -0400 (EDT) (envelope-from jhellenthal@DataIX.net) Date: Sun, 1 Jul 2012 15:31:53 -0400 From: Jason Hellenthal To: Marcin Wisnicki Message-ID: <20120701193153.GA73402@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline In-Reply-To: X-Gm-Message-State: ALoCoQlersh4Aqm3fpMsE8+fppQ37Mq9KGzqS3Ap2gGJPNkbD+GynQDtWXQ/PLA4bRNYT0roUiu/ Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 19:31:58 -0000 --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Press 5 -or- 6 after firing up pftop and see which rule is counting upward that is accepting this traffic. On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: > I'm trying to kill all connections to/from certain host after reloading= =20 > ruleset to force it to go through new ruleset but it does not seem to wor= k. >=20 > My host is a simple gateway with $if_ext being natted to $if_int. >=20 > I put this rule as the first filter rule: >=20 > block log quick on $if_ext label "block-ext" >=20 > Which should prevent any connection from reaching internet. > State policy is set to if-bound. >=20 > Then I kill existing states (tcp and udp): >=20 > pfctl -k $host && pfctl -k 0/0 -k $host > pfctl -k $gateway && pfctl -k 0/0 $gateway >=20 > The states are killed and disappear from pftop but immediately new=20 > connections get through as if rule "block-ext" didn't exist. >=20 > These new states have high rule numbers that correspond to pass rules on= =20 > $if_int. >=20 > How is this possible when "block-ext" should block everything ? >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 - (2^(N-1)) --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP8KWoAAoJEBSh2Dr1DU7WsVgIAJsuk9ab3d8OH2YMc1t72KY+ z//xLRUZJg2BXWNjTcwHL99s7Kq41MzckOMn1gLIr0vFJReTs4EOgsQANHYzJ+Ly Klsenitjz5l7y7F1vmP6otNlNvGtE7SYjTkvBI7GQYo+Weh7d/bmylueOl7bfdun kaNg9qVt0RHxG92zxWHAOmd7IeFCxqHxqngAxq0cfQOrmQiZD+IsrklKLRRHv4T5 FRNiwIeKKtEQ6OAyisy+ImEghA9/cvk0cS2m053ugHuHTCQg5Vd5kD8g097yTzpi NOY0zf1cWqbOuxnOOk1DRKRrzGa4y6S/F7GJ+ziYBDvRGQ84yf5pmxIq3XU8ocs= =C3NT -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--