Re: Can't kill a state with pfctl?
I’m doing something like this at home. table persist ### block machines out block out quick on egress tagged BLOCK pass out quick on egress from to any nat-to (egress:0) keep state \ (max-src-conn 1, max-src-conn-rate 1/1, overload flush global) tag BLOCK Then I just add IP to , the rest will be fixed per auto, eg blocking and flushing states. Note that really DOES NOT EXIST. Never created. Not sure of implication on the underlying system. Maybe it leaks RAM or something else. > 5 mars 2017 kl. 08:30 skrev luckman212 : > > Is 7 years too long to wait for an answer? > > I had been struggling with the same issue/question, and since yours was the > only related post I could find, I figured I'd come back to share what I > found. Try putting a slash and then the creatorid, like this: > > I didn't test this on OpenBSD but I did test it on pfSense which I believe > uses a very similar if not identical binary. > > > > -- > View this message in context: http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-tp100 879p314187.html > Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Can't kill a state with pfctl?
Is 7 years too long to wait for an answer? I had been struggling with the same issue/question, and since yours was the only related post I could find, I figured I'd come back to share what I found. Try putting a slash and then the creatorid, like this: I didn't test this on OpenBSD but I did test it on pfSense which I believe uses a very similar if not identical binary. -- View this message in context: http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-tp100879p314187.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Can't kill a state with pfctl?
Hello misc, I'm really coming around to using Openbsd and PF for my firewalls, it has been a great experience so far, however I am having trouble with the pfctl command in regards to killing an active state. I've tried my best to follow the man pages and seem to be doing just what it says, but it just isn't working. I have an OpenBSD box routing between two LAN segments, 192.168.10.0/24 and 192.168.0.0/24. I add a rule to my pf.conf to block traffic from the 192.168.10.0/24 net to a specific host, 192.168.0.23, port 80. Works fine, All new connection attempts are blocked as expected. However if there is an existing established connection, it continues to function. So I try to kill the existing state with pfctl, but no luck. First I tried it by specific ID: # pfctl -s state -vv | grep 192.168.0.23 -A 3 all tcp 192.168.0.23:80 <- 192.168.10.111:1230 ESTABLISHED:ESTABLISHED [2511621728 + 59935] [791437282 + 6432] age 05:18:15, expires in 24:00:00, 203727:267131 pkts, 8886145:242055534 bytes id: 4ca1ac7500441b35 creatorid: a11bb4a9 all tcp 192.168.10.111:1230 -> 192.168.0.23:80 ESTABLISHED:ESTABLISHED [791437282 + 6432] [2511621728 + 59935] age 05:18:15, expires in 24:00:00, 203727:267131 pkts, 8886145:242055534 bytes id: 4ca1ac7500441b36 creatorid: a11bb4a9 # pfctl -k id -k 4ca1ac7500441b35 killed 0 states Trying without the -k id produces "killed 0 states from 1 source and 0 destinations" Trying to kill all connections from the host (pfctl -k 192.168.0.23) does the same. I'm pulling this straight from pfctl man pages, but can't seem to get it working. I know I'm probably messing something silly, but am blind to see what it is! As always, thanks for the help in advance. I love this group, everyone has been very helpful as I make my journey into OpenBSD.
