I have a firewall here that sees heavy use on a full-duplex 10Mbps fiber link. (Okay, so maybe not that heavy.)
On occasion, there is an existing connection which has matched an outgoing keep state rule which I want to specifically kill. However, as far as I can tell, there's no way to kill just a specific state in the state table. Thus, even though I might use: ipf -f - @1 block in on ex1 from 10.2.0.12 to any ... since there's state involved, the rule doesn't take effect except for *future* connections to/from that IP address. That leaves the current pig of a connection consuming all my bandwidth. I find I have to take a sledgehammer to it and: ipf -Fa -vf /etc/ipf.conf ipnat -CFvf /etc/ipnat.conf ... and completely refresh all the rules, state, everything. If I could instead operate by adding specific rules to impede the problematic connection, and then kill the offending states specifically, my life would be a lot easier. Is there a way to do this? Perhaps by using some sneaky active/inactive rules lists or something? Thanks, Marc
