Try flushing the state table too. -Andy
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Sent: 08 March 2006 03:00 To: misc@openbsd.org Subject: Why packets are not blocked When my kid gets grounded I block the gameroom computer from getting to the internet. The script that runs is #!/bin/sh - cp /home/jmays/pf.conf.noGameroom /etc/pf.conf pfctl -F rules -f /etc/pf.conf pfctl -F nat -f /etc/pf.conf The file that becomes the pf.conf file is # pf.conf.noGameroom file # # Define useful variables # ExtIF ="dc0" # External Interface IntIF ="hme0" # Internal Interface loopbackIF="lo0" # Loopback Interface # IntNet ="192.168.100.0/24" # Our internal network Austin ="192.168.100.129" Gameroom="192.168.100.130" NoRouteIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" #Services="{ ssh, ftp }" Services="{ ssh }" # Clean up fragmented and abnormal packets scrub in all # nat on dc1 from 192.168.100.0/24 to any -> dc1 nat on $ExtIF from $Gameroom to any tag GAME -> ($ExtIF) nat on $ExtIF from $IntNet to any -> ($ExtIF) block out log quick on $ExtIF tagged GAME #pass anything on loopback pass out quick on $loopbackIF # don't allow anyone to spoof non-routeable addresses block in quick on $ExtIF from $NoRouteIPs to any block out quick on $ExtIF from any to $NoRouteIPs # by default, block all incoming packets, except those explicitly # allowed by further rules block in on $ExtIF all # allow others to use allowed services pass in on $ExtIF inet proto tcp from any to any port $Services \ flags S/SA keep state # and let out-going traffic out and maintain state on established connections # pass out all protocols, including TCP, UDP and ICMP, and create state, # so that external DNS servers can reply to our own DNS requests (UDP). block out log on $ExtIF all pass out log on $ExtIF inet proto tcp all flags S/SA keep state pass out log on $ExtIF inet proto udp all keep state pass out log on $ExtIF inet proto icmp all keep state # The problem is that if the kid is already logged into AOL Instant messenger, the connection is not broken. So even though she is grounded, she can still chat all day on AIM. Why isn't this pf.conf file blocking everything on that computer? Here is the tail of the pflog file while she is on Mar 07 20:30:43.516434 rule 14/0(match): pass out on dc0: 67.174.79.141.60805 > 64.12.174.121.80: S 3652110150:3652110150(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) Mar 07 20:30:43.739711 rule 14/0(match): pass out on dc0: 67.174.79.141.52657 > 209.62.180.190.80: S 4073040009:4073040009(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) Mar 07 20:30:43.960820 rule 14/0(match): pass out on dc0: 67.174.79.141.63494 > 216.39.69.77.80: S 3255465945:3255465945(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) Mar 07 20:30:44.014579 rule 15/0(match): pass out on dc0: 67.174.79.141.60482 > 204.127.202.4.53: 46801+ A? spe.atdmt.com. (31) Mar 07 20:30:44.063887 rule 14/0(match): pass out on dc0: 67.174.79.141.60937 > 80.67.84.16.80: S 1960373362:1960373362(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) Mar 07 20:31:02.940879 rule 14/0(match): pass out on dc0: 67.174.79.141.51753 > 204.127.198.10.110: S 2067644325:2067644325(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) I don't even have 14 rules. Why is this passing on rule 14? Thanks Jim