Hello misc,
I'm really coming around to using Openbsd and PF for my firewalls, it has been a great experience so far, however I am having trouble with the pfctl command in regards to killing an active state. I've tried my best to follow the man pages and seem to be doing just what it says, but it just isn't working. I have an OpenBSD box routing between two LAN segments, 192.168.10.0/24 and 192.168.0.0/24. I add a rule to my pf.conf to block traffic from the 192.168.10.0/24 net to a specific host, 192.168.0.23, port 80. Works fine, All new connection attempts are blocked as expected. However if there is an existing established connection, it continues to function. So I try to kill the existing state with pfctl, but no luck. First I tried it by specific ID: # pfctl -s state -vv | grep 192.168.0.23 -A 3 all tcp 192.168.0.23:80 <- 192.168.10.111:1230 ESTABLISHED:ESTABLISHED [2511621728 + 59935] [791437282 + 6432] age 05:18:15, expires in 24:00:00, 203727:267131 pkts, 8886145:242055534 bytes id: 4ca1ac7500441b35 creatorid: a11bb4a9 all tcp 192.168.10.111:1230 -> 192.168.0.23:80 ESTABLISHED:ESTABLISHED [791437282 + 6432] [2511621728 + 59935] age 05:18:15, expires in 24:00:00, 203727:267131 pkts, 8886145:242055534 bytes id: 4ca1ac7500441b36 creatorid: a11bb4a9 # pfctl -k id -k 4ca1ac7500441b35 killed 0 states Trying without the -k id produces "killed 0 states from 1 source and 0 destinations" Trying to kill all connections from the host (pfctl -k 192.168.0.23) does the same. I'm pulling this straight from pfctl man pages, but can't seem to get it working. I know I'm probably messing something silly, but am blind to see what it is! As always, thanks for the help in advance. I love this group, everyone has been very helpful as I make my journey into OpenBSD.
