On Thu, Dec 12, 2002 at 05:53:52PM +0200, Can Erkin Acar wrote: > Rule changes do not affect existing states. You have to process each > state and decide if you still want it or not. Look at authpf for one > way to do it. authpf removes states containing the IP address > of the connection it authenticated on exit.
That's correct. Just to clarify what I think the original poster's concern was: the existing state entries are left intact when you reload the rule set. Further packets matching these state entries will continue to be passed, and they reset the state timeouts as if you hadn't changed the rules. So existing connections that are passed statefully continue to work just fine when your reload the rule set. If you actually want to remove the state entries, you can either manually kill them using pfctl -k, or remove them all using pfctl -Fs. When you remove a state, the next packet of the ongoing connection will go through the (new) rule set. Usually, you'd only create state for SYN packets (in case of TCP connections), so the next packet will be blocked. If you block with return-rst, both peers will get a 'connection reset' message almost immediately. Daniel