Anyone on this?
Thanks
Giannis
On 18/02/11 19:36, Kapetanakis Giannis wrote:
Hi,
The flush global directive in the following pf rule does not kill all
states of the offending host.
table<abusive_hosts> persist
block in quick log on $ext_if from<abusive_hosts>
block in
pass in quick on $ext_if proto tcp from 10.0.0.2 to ($ext_if) port
2000:2002 flags S/
SA keep state (tcp.first 15, tcp.closing 30, tcp.finwait 15, tcp.closed
15, max-src-conn 1
, overload<abusive_hosts> flush global)
I'm using nc to do this test
server# nc -l 2000
server# nc -l 2001
10.0.0.2# nc server 2000
10.0.0.2# nc server 2001 (connection blocked)
host 10.0.0.2 is added in<abusive_hosts> and rest of the connections
are blocked.
# pfctl -t abusive_hosts -vT show
10.0.0.2
Cleared: Fri Feb 18 19:17:12 2011
Feb 18 19:17:17.354147 rule 1/(match) block in on fxp0: 10.0.0.2.38283>
10.0.0.1.2001: P 2121540353:2121540363(10) ack 1359198395 win 92
<nop,nop,timestamp 89238363 4104326239> (DF)
However the first connection (to port 2000) remains established and not
being flushed.
#pfctl -s states | grep 10.0.0.2
all tcp 10.0.0.1:2000<- 10.0.0.2:44923 ESTABLISHED:ESTABLISHED
Is it something I misused or don't understand correct?
regards,
Giannis
ps. OpenBSD 4.8 GENERIC#0 i386
