[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: State table with a rule change



On Thu, Dec 12, 2002 at 05:53:52PM +0200, Can Erkin Acar wrote:
> Rule changes do not affect existing states. You have to process each
> state and decide if you still want it or not. Look at authpf for one
> way to do it. authpf removes states containing the IP address
> of the connection it authenticated on exit.
That's correct. Just to clarify what I think the original poster's
concern was: the existing state entries are left intact when you reload
the rule set. Further packets matching these state entries will continue
to be passed, and they reset the state timeouts as if you hadn't changed
the rules.
So existing connections that are passed statefully continue to work just
fine when your reload the rule set.
If you actually want to remove the state entries, you can either manually
kill them using pfctl -k, or remove them all using pfctl -Fs. When you
remove a state, the next packet of the ongoing connection will go
through the (new) rule set. Usually, you'd only create state for SYN
packets (in case of TCP connections), so the next packet will be
blocked. If you block with return-rst, both peers will get a 'connection
reset' message almost immediately.
Daniel