From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 19 03:47:28 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2379616A41C
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Jun 2005 03:47:28 +0000 (GMT)
	(envelope-from tiberius@sdf.lonestar.org)
Received: from sdf.lonestar.org (mx.freeshell.org [192.94.73.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B6B0F43D4C
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Jun 2005 03:47:27 +0000 (GMT)
	(envelope-from tiberius@sdf.lonestar.org)
Received: from sdf.lonestar.org (IDENT:tiberius@sverige.freeshell.org
	[192.94.73.4])
	by sdf.lonestar.org (8.13.1/8.12.10) with ESMTP id j5J3l9t0014254;
	Sun, 19 Jun 2005 03:47:09 GMT
Received: (from tiberius@localhost)
	by sdf.lonestar.org (8.13.1/8.12.8/Submit) id j5J3l7ME013638;
	Sat, 18 Jun 2005 20:47:07 -0700 (MST)
Date: Sat, 18 Jun 2005 20:47:07 -0700
From: Matt Rechkemmer <tiberius@trancell.org>
To: Giorgos Keramidas <keramida@ceid.upatras.gr>
Message-ID: <20050619034707.GA23503@sdf.lonestar.org>
References: <20050607064323.GA29038@sdf.lonestar.org>
	<20050607105030.GA44218@orion.daedalusnetworks.priv>
	<20050609101805.GA11341@sdf.lonestar.org>
	<20050609105116.GA87877@orion.daedalusnetworks.priv>
	<20050609204814.GA11510@sdf.lonestar.org>
	<20050610183349.GA21866@orion.daedalusnetworks.priv>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050610183349.GA21866@orion.daedalusnetworks.priv>
User-Agent: Mutt/1.4.2.1i
Cc: freebsd-questions@freebsd.org
Subject: Re: pf block question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jun 2005 03:47:28 -0000

On Fri, Jun 10, 2005 at 09:33:50PM +0300, Giorgos Keramidas wrote:
> 
> Existing icmp states?
> 
> Did you reload the rules with:
> 
> 	/etc/rc.d/pf reload
> 
> or by directly running pfctl?

I tried flushing everything with pfctl -Fa, and then loading the rules with
pfctl -f /etc/pf.conf.  The script in rc.d seems to do the same thing.

After re-loading the rules, pfctl -sr yields:
root@hybrid# pfctl -sr | head -n2
scrub in all fragment reassemble
block drop quick on fxp0 from <badhosts> to any

I've verified the table has actual IP addresses.  It seems to be able to block
new TCP connections.  However, if an IP is connected currently, pf lets that
connection continue; even after flushing the states and sources.  It doesn't
seem to care about ICMP.  I can ping it from the box running pf, and receive
replies.

Am I just missing something obvious here?

--
Matt Rechkemmer
tiberius@trancell.org