From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 14:41:57 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E58816A41F for ; Thu, 5 Jul 2007 14:41:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout2.email.verio.net (dfw-smtpout2.email.verio.net [129.250.36.42]) by mx1.freebsd.org (Postfix) with ESMTP id 6497713C44B for ; Thu, 5 Jul 2007 14:41:57 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.64] (helo=dfw-mmp4.email.verio.net) by dfw-smtpout2.email.verio.net with esmtp id 1I6SWq-00012u-H4 for freebsd-pf@freebsd.org; Thu, 05 Jul 2007 14:41:56 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp4.email.verio.net with esmtp id 1I6SWq-00057S-Ds for freebsd-pf@freebsd.org; Thu, 05 Jul 2007 14:41:56 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id AFE338E296; Thu, 5 Jul 2007 09:41:55 -0500 (CDT) Date: Thu, 5 Jul 2007 09:41:55 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070705144155.GA3490@verio.net> References: <20070705062546.BF688267E13@mx.levier.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070705062546.BF688267E13@mx.levier.org> User-Agent: Mutt/1.5.9i Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 14:41:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER wrote: > > The problem I have is: > - When the public_granted table is updated with a new IP address, pf > let the user pass through. > - But when I delete this @IP from the table, pf keeps allowing the > user to pass through. PF always examines its state table before evaluating rules, so once a state entry is created you must clear it in order to stop communications on that open connection. See pfctl(1) specifically -k option: -k host Kill all of the state entries originating from the specified host. A second -k host option may be specified, which will kill all the state entries from the first host to the second host. For example, to kill all of the state entries originating from host: # pfctl -k To kill all of the state entries from host1 to host2: # pfctl -k -k - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjQMzFSrKRjX5eCoRArigAJ9dstUkt5Ycb6qGA/SvTMhfloPAIQCfUScp NQ7qEjoSmwK/Zehm+Ltiv58= =5j5D -----END PGP SIGNATURE-----