Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 1 Jul 2012 22:03:28 +0200
From:      Marcin Wisnicki <mwisnicki+freebsd@gmail.com>
To:        Jason Hellenthal <jhellenthal@dataix.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Can't kill connections
Message-ID:  <CAC9GOO_VGjtU5jqD42JTSWpj1LRbThhFUk-_OPEuJ=a-HO-u6g@mail.gmail.com>
In-Reply-To: <20120701193153.GA73402@DataIX.net>
References:  <jsq57a$9ep$1@dough.gmane.org> <20120701193153.GA73402@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jul 1, 2012 at 9:31 PM, Jason Hellenthal <jhellenthal@dataix.net> w=
rote:
>
> Press 5 -or- 6 after firing up pftop and see which rule is counting
> upward that is accepting this traffic.
>

I've found it! They were passed via "rdr pass" rules under "miniupnpd" anch=
or.
Unfortunately pftop does not show nat/rdr rules.

> On Sun, Jul 01, 2012 at 06:34:18PM +0000, Marcin Wisnicki wrote:
>> I'm trying to kill all connections to/from certain host after reloading
>> ruleset to force it to go through new ruleset but it does not seem to wo=
rk.
>>
>> My host is a simple gateway with $if_ext being natted to $if_int.
>>
>> I put this rule as the first filter rule:
>>
>> =C2=A0 block log quick on $if_ext label "block-ext"
>>
>> Which should prevent any connection from reaching internet.
>> State policy is set to if-bound.
>>
>> Then I kill existing states (tcp and udp):
>>
>> =C2=A0 pfctl -k $host && pfctl -k 0/0 -k $host
>> =C2=A0 pfctl -k $gateway && pfctl -k 0/0 $gateway
>>
>> The states are killed and disappear from pftop but immediately new
>> connections get through as if rule "block-ext" didn't exist.
>>
>> These new states have high rule numbers that correspond to pass rules on
>> $if_int.
>>
>> How is this possible when "block-ext" should block everything ?
>>
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
> --
>
> =C2=A0- (2^(N-1))

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC9GOO_VGjtU5jqD42JTSWpj1LRbThhFUk-_OPEuJ=a-HO-u6g>