Date: Fri, 6 Jul 2007 01:50:36 -0500 From: David DeSimone <fox@verio.net> To: freebsd-pf@freebsd.org Subject: Re: Issue with PF on FreeBSD 6.2.5? Message-ID: <20070706065036.GA3771@verio.net> In-Reply-To: <20070706042859.C3808267E14@mx.levier.org> References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> <20070706003051.GC3557@verio.net> <20070706042859.C3808267E14@mx.levier.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER <llevier@argosnet.com> wrote: > > Still wondering what to do if the host keeps being in the list. > I cant endlessly do a -k while host does not disappear... What might be happening is that the initial packet passing through PF is going in the opposite direction than expected. This establishes the state with the source/destination reversed. pfctl -k removes state entries by destination IP. If the state entry has your target IP as the source, you have to use the "-k -k" option, where you specify both source and destination IP's to be removed. There is probably a good way to integrate this into your scripts so that you don't have to perform the state removal manually; it can be done by the same script that is removing anchors from PF policy and such. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjeY8FSrKRjX5eCoRAtJjAJ9u4wBKI4r/pTXTLaGAYXTL///iwwCfd1XM uiLuFtK1NLqaTmj4dWtsjXI= =6sB9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070706065036.GA3771>