On 02/07/13 15:13, Martijn van Duren wrote:
Hello misc,
Today I watch the current connections on my small home server and I
noticed an unfamiliar ftp-connection. Upon inspecting the connection I
noticed it was a brute force attack, so I fired up my pfctl-utility and
tried to block the attack by adding the ip to my quick drop table.
After adding the ip to the table I noticed that the connection was still
happily active and even reloading my entire ruleset with pfctl
-f /etc/pf.conf didn't help, so I resorted to tcpdrop.
My question is, is it possible to destroy an active connection by
something like adding an ip to a drop quick table (did I miss a certain
flag?) or do I, in an event that something like this happens again,
always have to perform a two stage drop?
Sincerely,
Martijn
I've seen this before. The attack continued because you have an
existing state entry on the firewall that is allowing packets to continue.
Use 'pfctl -k (host)' to kill off existing states.
--
Scott McEachern
https://www.blackstaff.ca
