Thanks for all the quick responses, but if I understand you all correctly there is no way to cut off an established connection by adding an ip address to a blocked table, so I'm still left with my two stage drop off the connection (both adding the the ip to the table and killing the connection manually).
Martijn On Thu, 2013-02-07 at 21:21 +0100, Peter J. Philipp wrote: > Someone on this list once helped me a great deal by mentioning the following: > > I bet you have a pf state left after reloading your firewall rules and since > they don't > get reset you have to kill them. > > Use pfctl -ss -vv to identify the state by id and use pfctl -k id -k <id> to > kill it. > > That's how I do it these days. > > Cheers, > > -peter > > Am 07.02.2013 um 21:13 schrieb Martijn van Duren <martijn...@gmail.com>: > > > Hello misc, > > > > Today I watch the current connections on my small home server and I > > noticed an unfamiliar ftp-connection. Upon inspecting the connection I > > noticed it was a brute force attack, so I fired up my pfctl-utility and > > tried to block the attack by adding the ip to my quick drop table. > > After adding the ip to the table I noticed that the connection was still > > happily active and even reloading my entire ruleset with pfctl > > -f /etc/pf.conf didn't help, so I resorted to tcpdrop. > > > > My question is, is it possible to destroy an active connection by > > something like adding an ip to a drop quick table (did I miss a certain > > flag?) or do I, in an event that something like this happens again, > > always have to perform a two stage drop? > > > > Sincerely, > > > > Martijn
