On Thu, Feb 26, 2015 at 12:11:34PM -0500, Ted Unangst wrote:
> D'Arcy J.M. Cain wrote:
> > So why would packets continue to come in for 2.5 hours? My guess is
> > that the hacker is keeping the connection open and attacking over it
> > for 2.5 hours. Does the packet filter not apply to existing
> > connections? Is there some way to change that behaviour?
>
> Yes, that's how stateful firewalls work. Existing states don't evaluate the
> ruleset. You probably want to look into pfctl -k.
The OP has a "no state" on the relevant rule. But no full ruleset has
been posted, so it's hard to tell what's going on exactly. Looking at
the state table with pfctl might help.
-Otto
