--> patrick keshishian <pkesh...@gmail.com> [2013-02-07 12:16:40 -0800]:
> look in 'man pfctl' and search for killing active sessions. > > > On Thu, Feb 7, 2013 at 12:13 PM, Martijn van Duren <martijn...@gmail.com> > wrote: > > Hello misc, > > > > Today I watch the current connections on my small home server and I > > noticed an unfamiliar ftp-connection. Upon inspecting the connection I > > noticed it was a brute force attack, so I fired up my pfctl-utility and > > tried to block the attack by adding the ip to my quick drop table. > > After adding the ip to the table I noticed that the connection was still > > happily active and even reloading my entire ruleset with pfctl > > -f /etc/pf.conf didn't help, so I resorted to tcpdrop. > > > > My question is, is it possible to destroy an active connection by > > something like adding an ip to a drop quick table (did I miss a certain > > flag?) or do I, in an event that something like this happens again, > > always have to perform a two stage drop? > > > > Sincerely, > > > > Martijn If you have block drop quick rules in an anchor, I believe you do not need to reload the rules - the rule in the anchor becomes effective immediately, is that right? I use an anchor to block incoming smtp connections that way. Would you still need to use pfctl -k ... to kill the connection when using anchors? Jamie -- Primary Key: 4096R/1D31DC38 2011-12-03 Key Fingerprint: A4B9 E875 A18C 6E11 F46D B788 BEE6 1251 1D31 DC38
