From owner-freebsd-pf@FreeBSD.ORG Fri Jul 6 06:50:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C12516A468 for ; Fri, 6 Jul 2007 06:50:44 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id 0FF7013C483 for ; Fri, 6 Jul 2007 06:50:43 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1I6heM-0004Dp-Ja for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 06:50:42 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1I6heM-0005Dw-FQ for freebsd-pf@freebsd.org; Fri, 06 Jul 2007 06:50:42 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 067B38E296; Fri, 6 Jul 2007 01:50:37 -0500 (CDT) Date: Fri, 6 Jul 2007 01:50:36 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070706065036.GA3771@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20070705062546.BF688267E13@mx.levier.org> <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> <20070705164343.3F2E7267F61@mx.levier.org> <20070706003051.GC3557@verio.net> <20070706042859.C3808267E14@mx.levier.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <20070706042859.C3808267E14@mx.levier.org> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2007 06:50:44 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Laurent LEVIER wrote: > > Still wondering what to do if the host keeps being in the list. > I cant endlessly do a -k while host does not disappear... What might be happening is that the initial packet passing through PF is going in the opposite direction than expected. This establishes the state with the source/destination reversed. pfctl -k removes state entries by destination IP. If the state entry has your target IP as the source, you have to use the "-k -k" option, where you specify both source and destination IP's to be removed. There is probably a good way to integrate this into your scripts so that you don't have to perform the state removal manually; it can be done by the same script that is removing anchors from PF policy and such. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGjeY8FSrKRjX5eCoRAtJjAJ9u4wBKI4r/pTXTLaGAYXTL///iwwCfd1XM uiLuFtK1NLqaTmj4dWtsjXI= =6sB9 -----END PGP SIGNATURE-----