Your ping traffic creates a state table entry in PF. Packets matching this state (further pings between the same addresses before a timeout) are passed unless the state entry is flushed (pfctl -k)..
On 2014/12/10 00:47, zje.net.cn wrote: > Hello, my name is chengang, I'm from china. yesterday, I tried to test pf's > function, a problem was happened, Details as Follows. > 1.The test environment > 1)a server with installed OpenBSD 5.6, I give the name "mySrv", and it's IP > is "10.0.21.211". > 2)a client with installed Windows7, I give the name "myClt". > 3)a pf config file including the following rules, with the name "pf.conf". > ...... > block all > pass in on $int_if proto icmp from <admin>4)a pf config file including > the following rules, with the name "pf.conf.local". > ...... > block all > #pass in on $int_if proto icmp from <admin> > 2.The procedure witch making the problem > 1)load the config file "pf.conf" on "mySrv" > 2)exec "ping 10.0.21.211 -t" on "myClt" with "cmd" window, and the result > like the pic as follows, the icmp proto communication was passed. > 3) now, keeping the "ping" command running on "myClt", and then load the > config file "pf.conf.local" on "mySrv". > According to the rules set in “pf.conf.local”, the icmp proto > communication shoud be block at this time. > But in fact, the communication was still passed just like the above pic > showing. > So I wonder if the pf has a problem with itself or I have problems in > operation with myself. > 3.any operations to solve the problem > Afterwards I tried any operations to solve the above problem, finally I > found if I first stop the "ping" command on "myCtl" and wait a moment just > less than 3 sec or more, then reload the file "pf.conf.local", the result > perhaps was correct. > Steps as shown below with the pic. > > ----------------------------------------------------------------------------------------------------------------------- > The above is my reports for a problem I guess that, please verify it, Thank > you for your hard work and I like to use the OpenBSD, so wish a better for > it.
