When I run my bittorrent app on my client I bind it to a secondary IP address. On my OpenBSD firewall I load an anchor that does some rdr's to this secondary address as well as block many IP addresses via a table to/from this secondary address. The table is quite large and it would block normally valid web traffic which is why it filters only the secondary IP address.
When I'm done with any bittorrent activity, I normally flush the anchor and kill any remaining states (pfctl -k 192.168.1.66 and pfctl -k 0.0.0.0/0 -k 192.168.1.66). Until recently a: pfctl -ss | grep '1\.66' Would show no states associated with the address. However now I get: all tcp 68.60.76.152:55851 (192.168.1.66:34617) -> 78.62.106.75:6879 B B B ESTABLISHED:ESTABLISHED all tcp 68.60.76.152:62416 (192.168.1.66:39940) -> 76.206.22.149:29780 B B B ESTABLISHED:ESTABLISHED <snip> - many more And pftop shows 192.168.1.66 as a GW address (the 192.168.1.66 addresses are all in the GW column of pftop's long view): tcp B Out 68.60.76.152:55851 B B 78.62.106.75:6879 B B 192.168.1.66:34617 B ESTABLISHED:ESTABLISHED B 04:28:42 B 19:41:48 B 1152 761698 B B 0 B B 0 B B 47 B * tcp B Out 68.60.76.152:62416 B B 76.206.22.149:29780 B 192.168.1.66:39940 B ESTABLISHED:ESTABLISHED B 04:28:28 B 19:40:00 B B 474 357351 B B 0 B B 0 B B 22 B * tcp B Out 68.60.76.152:62477 B B 87.207.239.182:28479 B 192.168.1.66:44893 B ESTABLISHED:ESTABLISHED B 04:27:25 B 19:36:37 B B 18 B 2755 B B 0 B B 0 B B 0 B * tcp B Out 68.60.76.152:57534 B B 86.209.94.221:19737 B 192.168.1.66:46764 B ESTABLISHED:ESTABLISHED B 04:21:55 B 19:56:53 B B 566 350043 B B 0 B B 0 B B 22 B * tc As the address is in some sort of weird GW state (at least that's what I make of it), its established states cannot be killed with pfctl. I even deleted the secondary IP address from my client box and these established states remain. -- Chris
