On Tue, Mar 07, 2006 at 11:08:51PM -0500, Chris Zakelj wrote: > Steven wrote: > > * Jim <[EMAIL PROTECTED]> [060307 20:36]: > >> The problem is that if the kid is already logged into AOL Instant > >> messenger, the connection is not broken. So even though she is > >> grounded, she can still chat all day on AIM. Why isn't this pf.conf > >> file blocking everything on that computer? > > I'm not anything of a pf expert, but shouldn't this be expected if > > you have keep state rules in your pf.conf? I mean, you've changed > > the rule-set, but the connection was set up before the change, and pf > > will want to keep allowing the packets from the connection to pass > > as a result. > > > > Just my $0.02 CDN, even with the current exchange rates, still not > > worth a lot. I'll let the real experts handle it from here. :-) > Aye. You're flushing rules and NAT, but not your state table. Since > the state is already established, rules aren't re-evaluated. Adding a > state flush ought to get AOL wiped out. Just be mindful that if you > have something going on (like an SSH session), those states will also > get nailed.
There are other ways to go about this: tcpdrop(8) is probably the proper technical solution. Also, <http://www.bofh.org.pl/man> contains some useful additional commands, which are, sadly, not part of the base system - SNIP would be a rather useful thingy, here. Joachim
