From owner-freebsd-questions@FreeBSD.ORG Sat Nov 24 16:06:20 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9F1BA4B3 for ; Sat, 24 Nov 2012 16:06:20 +0000 (UTC) (envelope-from demelier.david@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 2A8E68FC16 for ; Sat, 24 Nov 2012 16:06:19 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id 12so5142459wgr.31 for ; Sat, 24 Nov 2012 08:06:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=g9Ha11Jco9nFk4siPvmEDpzYo1Pk+QHUvaEveziI000=; b=aRweVt2Y95UqbWdm91O2/ecGm952HKn6xIk4r9Uuy1Wi3uMnYsf9nn8w/RpsGMWG4h tWKpl/P37hEe0f1EptEJRfX0CYuVPbxisrDyN3m/DNGvjxTbcCvYQB7U2W477iu4IbGw DFbLiNi3Iu+iPbkiBE/wxMKHzre7sVWaVzsNBDsLYOLF032bQqhGo1Uvi2wylxKOx6sb BhyWqZxH9a5by6fRUlU8f8hnUHLznhaIT9ccF3seZ9fVw6z7guuciFAQTYFzhtQc8mXu NPtGgYCNh8/SWkQFzrfwkqYKx+PXD3GGynnoNGkpTYZa24361TlUy4ckEULfp3JkCnuz 4AxA== Received: by 10.180.88.138 with SMTP id bg10mr10628183wib.13.1353773178898; Sat, 24 Nov 2012 08:06:18 -0800 (PST) Received: from Melon.malikania.fr (248.21.102.84.rev.sfr.net. [84.102.21.248]) by mx.google.com with ESMTPS id bz12sm14885478wib.5.2012.11.24.08.06.12 (version=SSLv3 cipher=OTHER); Sat, 24 Nov 2012 08:06:18 -0800 (PST) Message-ID: <50B0F069.5030104@gmail.com> Date: Sat, 24 Nov 2012 17:06:01 +0100 From: David Demelier User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:16.0) Gecko/20121103 Thunderbird/16.0.2 MIME-Version: 1.0 To: Fleuriot Damien Subject: Re: PF and tables for disabling network References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 16:06:20 -0000 On 23/11/2012 15:58, Fleuriot Damien wrote: > > On Nov 23, 2012, at 3:46 PM, David Demelier wrote: > >> Hello, >> >> I would like to disable the network traffic for specific IPs, for the >> moment I just add to my pf.conf a rule that will block everything for a >> specified table like this : >> >> table >> >> [...] others rules [...] >> >> block from >> >> Then I just need to add my IP using pfctl, it will works, no packet can be >> send / recv to the machine, however if that machine had some active >> connections, these won't be closed and they can still use them (a SSH >> client, game, ...) >> >> How can I disable everything then? >> >> Cheers >> >> -- >> Demelier David > > > First, you might want to use "block in quick on $externalif inet from " , to have: > - a quick rule, which stops ruleset evaluation immediately > - a more specific rule, which applies only to your WAN interface's inbound traffic > > Be careful with the quick keyword, it's going to match packets immediately and entirely block these IPs. > > > Then, if you want to kill the active connections from people in the table, you might want to "script" a bit, like: > > for i in `pfctl -t closed -T show` > do > pfctl -kK $i > done > > > > Would that do the trick for you ? > Thank you that works very well :) Cheers, -- David Demelier