I’m doing something like this at home.
table <block_out_ext> persist
### block machines out
block out quick on egress tagged BLOCK
pass out quick on egress from <block_out_ext> to any nat-to (egress:0) keep
state \
(max-src-conn 1, max-src-conn-rate 1/1, overload <none_existent_table>
flush global) tag BLOCK
Then I just add IP to <block_out_ext>, the rest will be fixed per auto, eg
blocking and flushing states.
Note that <none_existent_table> really DOES NOT EXIST. Never created.
Not sure of implication on the underlying system. Maybe it leaks RAM or
something else.
> 5 mars 2017 kl. 08:30 skrev luckman212 <[email protected]>:
>
> Is 7 years too long to wait for an answer?
>
> I had been struggling with the same issue/question, and since yours was the
> only related post I could find, I figured I'd come back to share what I
> found. Try putting a slash and then the creatorid, like this:
>
> I didn't test this on OpenBSD but I did test it on pfSense which I believe
> uses a very similar if not identical binary.
>
>
>
> --
> View this message in context:
http://openbsd-archive.7691.n7.nabble.com/Can-t-kill-a-state-with-pfctl-tp100
879p314187.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.
