Date: Sat, 18 Jun 2005 20:47:07 -0700 From: Matt Rechkemmer <tiberius@trancell.org> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: pf block question Message-ID: <20050619034707.GA23503@sdf.lonestar.org> In-Reply-To: <20050610183349.GA21866@orion.daedalusnetworks.priv> References: <20050607064323.GA29038@sdf.lonestar.org> <20050607105030.GA44218@orion.daedalusnetworks.priv> <20050609101805.GA11341@sdf.lonestar.org> <20050609105116.GA87877@orion.daedalusnetworks.priv> <20050609204814.GA11510@sdf.lonestar.org> <20050610183349.GA21866@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 10, 2005 at 09:33:50PM +0300, Giorgos Keramidas wrote: > > Existing icmp states? > > Did you reload the rules with: > > /etc/rc.d/pf reload > > or by directly running pfctl? I tried flushing everything with pfctl -Fa, and then loading the rules with pfctl -f /etc/pf.conf. The script in rc.d seems to do the same thing. After re-loading the rules, pfctl -sr yields: root@hybrid# pfctl -sr | head -n2 scrub in all fragment reassemble block drop quick on fxp0 from <badhosts> to any I've verified the table has actual IP addresses. It seems to be able to block new TCP connections. However, if an IP is connected currently, pf lets that connection continue; even after flushing the states and sources. It doesn't seem to care about ICMP. I can ping it from the box running pf, and receive replies. Am I just missing something obvious here? -- Matt Rechkemmer tiberius@trancell.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050619034707.GA23503>