Date: Sun, 05 Jun 2016 11:48:03 +0000 From: Amin Saba <amn.brhm.sb@gmail.com> To: freebsd-pf@freebsd.org Subject: Dangling states problem Message-ID: <CAMuas%2BdL_2WQJ5t_MDacu90Tf7_tvLcYSuAvpdun2OKTJVe7WA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
*Dangling states problem*: pf consults its state table before the rule set (as it should). So even after adding a rule to block certain connections, the ones that have a corresponding entry in the state table will continue uninterrupted. AFAIK, pf does not have any built-in/native mechanism to *automatically* terminate states that go against the current rule set. Sifting through the states and manually "pfctl -k"ing unwanted states does not look like a sustainable solution to this problem. I am writing a python script to automate this process, as much as possible. My questions are: Do you know any other projects aiming at this? Is there anything on the roadmap for the pf project to address this issue? Are there any major road blocks to implementing this directly in pf? Can someone shed more light on this, please? Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMuas%2BdL_2WQJ5t_MDacu90Tf7_tvLcYSuAvpdun2OKTJVe7WA>