D'Arcy J.M. Cain wrote: > On Thu, 26 Feb 2015 12:11:34 -0500 > "Ted Unangst" <t...@tedunangst.com> wrote: > > D'Arcy J.M. Cain wrote: > > > So why would packets continue to come in for 2.5 hours? My guess is > > > that the hacker is keeping the connection open and attacking over it > > > for 2.5 hours. Does the packet filter not apply to existing > > > connections? Is there some way to change that behaviour? > > > > Yes, that's how stateful firewalls work. Existing states don't > > evaluate the ruleset. You probably want to look into pfctl -k. > > I set no state on all UDP rules which is what this one is. > > What does -k do? NetBSD's pf doesn't seem to have it.
Well, there's what should happen and what does happen. The behavior described sounds a lot like it's keeping state. You can check with pfctl -ss. pfctl -k kills an existing state.