Date: Sun, 1 Jul 2012 15:31:53 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections Message-ID: <20120701193153.GA73402@DataIX.net> In-Reply-To: <jsq57a$9ep$1@dough.gmane.org> References: <jsq57a$9ep$1@dough.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Press 5 -or- 6 after firing up pftop and see which rule is counting upward that is accepting this traffic. On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: > I'm trying to kill all connections to/from certain host after reloading > ruleset to force it to go through new ruleset but it does not seem to work. > > My host is a simple gateway with $if_ext being natted to $if_int. > > I put this rule as the first filter rule: > > block log quick on $if_ext label "block-ext" > > Which should prevent any connection from reaching internet. > State policy is set to if-bound. > > Then I kill existing states (tcp and udp): > > pfctl -k $host && pfctl -k 0/0 -k $host > pfctl -k $gateway && pfctl -k 0/0 $gateway > > The states are killed and disappear from pftop but immediately new > connections get through as if rule "block-ext" didn't exist. > > These new states have high rule numbers that correspond to pass rules on > $if_int. > > How is this possible when "block-ext" should block everything ? > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- - (2^(N-1)) [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP8KWoAAoJEBSh2Dr1DU7WsVgIAJsuk9ab3d8OH2YMc1t72KY+ z//xLRUZJg2BXWNjTcwHL99s7Kq41MzckOMn1gLIr0vFJReTs4EOgsQANHYzJ+Ly Klsenitjz5l7y7F1vmP6otNlNvGtE7SYjTkvBI7GQYo+Weh7d/bmylueOl7bfdun kaNg9qVt0RHxG92zxWHAOmd7IeFCxqHxqngAxq0cfQOrmQiZD+IsrklKLRRHv4T5 FRNiwIeKKtEQ6OAyisy+ImEghA9/cvk0cS2m053ugHuHTCQg5Vd5kD8g097yTzpi NOY0zf1cWqbOuxnOOk1DRKRrzGa4y6S/F7GJ+ziYBDvRGQ84yf5pmxIq3XU8ocs= =C3NT -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120701193153.GA73402>