selective state flush

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

selective state flush

Jeff Santos
Hi,

Suppose I have an anchor in PF that, when some condition
is met, is loaded with a set of block rules.

If the condition is met, the connections that were
open before these blcok rules were loaded to the
anchor are not dropped, correct?

If so, is there some way to selectively drop some
connections (flush some states)?

Thanks in advance.

Regards,

Jose

--
Want an e-mail address like mine?
Get a free e-mail account today at www.mail.com!

Reply | Threaded
Open this post in threaded view
|

Re: selective state flush

Calomel-3
Jose,

Correct. If you load a block rule with an anchor or by hand, but the state
has already been made for a connection, the current state will not be
cleared. If you wanted to clear all states before you load the new rules
this could be done.

Selectively, you can use "pfctl" with the argument "-k" to drop connections
dependent on ip address. For example, If we wanted to drop all states from
any ip to our internal server at 10.10.10.22 we could execute:

pfctl -k 0.0.0.0/0 -k 10.10.10.22


Hope this helps.

  PF Config "how to" (pf.conf)
  http://calomel.org/pf_config.html

--
  Calomel @ http://calomel.org
  Open Source Research and Reference


On Thu, Apr 03, 2008 at 06:44:41PM -0500, Jeff Santos wrote:

>Hi,
>
>Suppose I have an anchor in PF that, when some condition
>is met, is loaded with a set of block rules.
>
>If the condition is met, the connections that were
>open before these blcok rules were loaded to the
>anchor are not dropped, correct?
>
>If so, is there some way to selectively drop some
>connections (flush some states)?
>
>Thanks in advance.
>
>Regards,
>
>Jose
>
>--
>Want an e-mail address like mine?
>Get a free e-mail account today at www.mail.com!