On Thu, Feb 26, 2015 at 12:11:34PM -0500, Ted Unangst wrote: > D'Arcy J.M. Cain wrote: > > So why would packets continue to come in for 2.5 hours? My guess is > > that the hacker is keeping the connection open and attacking over it > > for 2.5 hours. Does the packet filter not apply to existing > > connections? Is there some way to change that behaviour? > > Yes, that's how stateful firewalls work. Existing states don't evaluate the > ruleset. You probably want to look into pfctl -k.
The OP has a "no state" on the relevant rule. But no full ruleset has been posted, so it's hard to tell what's going on exactly. Looking at the state table with pfctl might help. -Otto