Jose, Correct. If you load a block rule with an anchor or by hand, but the state has already been made for a connection, the current state will not be cleared. If you wanted to clear all states before you load the new rules this could be done.
Selectively, you can use "pfctl" with the argument "-k" to drop connections dependent on ip address. For example, If we wanted to drop all states from any ip to our internal server at 10.10.10.22 we could execute: pfctl -k 0.0.0.0/0 -k 10.10.10.22 Hope this helps. PF Config "how to" (pf.conf) http://calomel.org/pf_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Apr 03, 2008 at 06:44:41PM -0500, Jeff Santos wrote: >Hi, > >Suppose I have an anchor in PF that, when some condition >is met, is loaded with a set of block rules. > >If the condition is met, the connections that were >open before these blcok rules were loaded to the >anchor are not dropped, correct? > >If so, is there some way to selectively drop some >connections (flush some states)? > >Thanks in advance. > >Regards, > >Jose > >-- >Want an e-mail address like mine? >Get a free e-mail account today at www.mail.com!
