From owner-freebsd-pf@FreeBSD.ORG Sun Jul 1 20:03:29 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C2641065676 for ; Sun, 1 Jul 2012 20:03:29 +0000 (UTC) (envelope-from mwisnicki@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 410A88FC08 for ; Sun, 1 Jul 2012 20:03:29 +0000 (UTC) Received: by obbun3 with SMTP id un3so9162404obb.13 for ; Sun, 01 Jul 2012 13:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=MDQ7aMupZz4ZD0QZ9j9S7DN4BNaA43tZmNC1Saootfo=; b=o33oUY83qpBljiY8d7T6m74bSWFaPovCCtsepIa09T7tPj2JFNSn7GIwolXoVEIJMv Q8XVp8AmVTHmgZMyJYqrArHsPT9r6OI4t5PDWD4UeiWp9+zx17rBFnqV+gixdmxPOAJj Gq56H277b3pz8tRgXINxckY1r5mRnglE7egpDYmaOMZ2xsvmEkrfWHZ80IX97DNpuz5R 8CmH1XrfMWTQYdEoN3b/awzOZO0VWla66o+9H7VBm1PD5WLavHCqr3bb8chWETm0vcdF uybzAfUKzDH+0ItVVTXn8LVLCJwKIGZFhmFRoC3xb/WRReUUswvY5SXtJXdlMkqJE8dA 5Tng== MIME-Version: 1.0 Received: by 10.50.185.163 with SMTP id fd3mr3835636igc.22.1341173008347; Sun, 01 Jul 2012 13:03:28 -0700 (PDT) Sender: mwisnicki@gmail.com Received: by 10.42.1.68 with HTTP; Sun, 1 Jul 2012 13:03:28 -0700 (PDT) In-Reply-To: <20120701193153.GA73402@DataIX.net> References: <20120701193153.GA73402@DataIX.net> Date: Sun, 1 Jul 2012 22:03:28 +0200 X-Google-Sender-Auth: Smbtw0xHCE1R4I80hmcc_qcTEA8 Message-ID: From: Marcin Wisnicki To: Jason Hellenthal Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2012 20:03:29 -0000 On Sun, Jul 1, 2012 at 9:31 PM, Jason Hellenthal w= rote: > > Press 5 -or- 6 after firing up pftop and see which rule is counting > upward that is accepting this traffic. > I've found it! They were passed via "rdr pass" rules under "miniupnpd" anch= or. Unfortunately pftop does not show nat/rdr rules. > On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: >> I'm trying to kill all connections to/from certain host after reloading >> ruleset to force it to go through new ruleset but it does not seem to wo= rk. >> >> My host is a simple gateway with $if_ext being natted to $if_int. >> >> I put this rule as the first filter rule: >> >> =C2=A0 block log quick on $if_ext label "block-ext" >> >> Which should prevent any connection from reaching internet. >> State policy is set to if-bound. >> >> Then I kill existing states (tcp and udp): >> >> =C2=A0 pfctl -k $host && pfctl -k 0/0 -k $host >> =C2=A0 pfctl -k $gateway && pfctl -k 0/0 $gateway >> >> The states are killed and disappear from pftop but immediately new >> connections get through as if rule "block-ext" didn't exist. >> >> These new states have high rule numbers that correspond to pass rules on >> $if_int. >> >> How is this possible when "block-ext" should block everything ? >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- > > =C2=A0- (2^(N-1))