PF: clock upd packets that allready have a state
Hi
From time to time I have some attacks to my SIP PBX. I like to block them on
my OpenBSD
box which stands in front of it. The problem I'm facing is that the attackers
IP has already
a state in the state table and the block rule I insert simply does nothing.
In the state table I see the following:
all udp my_ip:5060 - attacker_ip:5231 MULTIPLE:MULTIPLE
all udp attacker_ip:5231 - my_ip:5060 MULTIPLE:MULTIPLE
in /etc/pf.conf at the top I have the following
table badguys {attacker_ip}
block out quick to {badguys}
block in quick from {badguys}
After clearing all states with pfctl -F states the connection is blocked.
Is there a way to:
- clear a single state?
- to block a packet even with a established state ?
Regards
Matthias
--
Matthias Cramer, Erachfeldstrasse 1b, CH-8180 Bülach
http://www.freestone.net
GnuPG 1024D/2D208250 = DBC6 65B6 7083 1029 781E 3959 B62F DF1C 2D20 8250
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
Re: PF: clock upd packets that allready have a state
On 25 jun 2012, at 15:36, Matthias Cramer wrote: After clearing all states with pfctl -F states the connection is blocked. Is there a way to: - clear a single state? - to block a packet even with a established state ? Hi Matthias, The pfctl -K/-k options allow you to kill specific state entries. /Johan
