Date: Sun, 1 Jul 2012 15:31:53 -0400 From: Jason Hellenthal <jhellenthal@dataix.net> To: Marcin Wisnicki <mwisnicki+freebsd@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Can't kill connections Message-ID: <20120701193153.GA73402@DataIX.net> In-Reply-To: <jsq57a$9ep$1@dough.gmane.org> References: <jsq57a$9ep$1@dough.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Press 5 -or- 6 after firing up pftop and see which rule is counting upward that is accepting this traffic. On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote: > I'm trying to kill all connections to/from certain host after reloading= =20 > ruleset to force it to go through new ruleset but it does not seem to wor= k. >=20 > My host is a simple gateway with $if_ext being natted to $if_int. >=20 > I put this rule as the first filter rule: >=20 > block log quick on $if_ext label "block-ext" >=20 > Which should prevent any connection from reaching internet. > State policy is set to if-bound. >=20 > Then I kill existing states (tcp and udp): >=20 > pfctl -k $host && pfctl -k 0/0 -k $host > pfctl -k $gateway && pfctl -k 0/0 $gateway >=20 > The states are killed and disappear from pftop but immediately new=20 > connections get through as if rule "block-ext" didn't exist. >=20 > These new states have high rule numbers that correspond to pass rules on= =20 > $if_int. >=20 > How is this possible when "block-ext" should block everything ? >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" --=20 - (2^(N-1)) --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJP8KWoAAoJEBSh2Dr1DU7WsVgIAJsuk9ab3d8OH2YMc1t72KY+ z//xLRUZJg2BXWNjTcwHL99s7Kq41MzckOMn1gLIr0vFJReTs4EOgsQANHYzJ+Ly Klsenitjz5l7y7F1vmP6otNlNvGtE7SYjTkvBI7GQYo+Weh7d/bmylueOl7bfdun kaNg9qVt0RHxG92zxWHAOmd7IeFCxqHxqngAxq0cfQOrmQiZD+IsrklKLRRHv4T5 FRNiwIeKKtEQ6OAyisy+ImEghA9/cvk0cS2m053ugHuHTCQg5Vd5kD8g097yTzpi NOY0zf1cWqbOuxnOOk1DRKRrzGa4y6S/F7GJ+ziYBDvRGQ84yf5pmxIq3XU8ocs= =C3NT -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120701193153.GA73402>