I'm trying to kill all connections to/from certain host after reloading ruleset to force it to go through new ruleset but it does not seem to work.
My host is a simple gateway with $if_ext being natted to $if_int. I put this rule as the first filter rule: block log quick on $if_ext label "block-ext" Which should prevent any connection from reaching internet. State policy is set to if-bound. Then I kill existing states (tcp and udp): pfctl -k $host && pfctl -k 0/0 -k $host pfctl -k $gateway && pfctl -k 0/0 $gateway The states are killed and disappear from pftop but immediately new connections get through as if rule "block-ext" didn't exist. These new states have high rule numbers that correspond to pass rules on $if_int. How is this possible when "block-ext" should block everything ? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
