|
|
|||
flush states pfctl
hi
I am currently using scripts to load a daypf.conf and nightpf.conf at night people are allowed to use torrents etc. so when I enable daypf.conf I would like to flush all connections made (connections to trackers etc although they are not allowed by new pf.conf) question: do the states get flushed by disabling and enabling pfctl with another pf.conf? I googled this and read man page: pfctl -F all when I do this, pfctl clears all states but my putty console hangs. this is probably due to my state being flushed too. my script: pfctl -d pfctl -F all pfctl -e -f /etc/pf.conf is this the correct way to do it? |
|
|||
i think you need also to flush tables (if you use it in your ruleset) :
pfctl -t <tablename> -T flush |
|
|||
flush
Read man pages of pfctl !
|
|
|||
Code:
pfctl -d pfctl -F all pfctl -e -f /etc/pf.conf The first line disables pf. I would not do that. You could just load the new rules and let the existing states/connections terminate naturally. You will probably say that this would be OK for the transition of the tight, "no torrents during the day" rules to the relaxed rules at night., but not for the night -> day transisiton. Somebody could start a few torrents and the because of not flushing the states these connections would continue during the day. For the night->day transition you could bring a temporary third pf.conf into play. One that simply blocks all traffic. That way you do not have a time frame where pf is not enabled. Code:
# day to night, don't flush states, let them terminate naturally pfclt -v /etc/pf-night.conf # night to day # do not allow new connections pfctl -vf block-all.pf # flush the states pfctl -F all # load the restrictive day rules pfctl -vf pf-day.conf
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf flush persist file | ijk | FreeBSD Security | 5 | 3rd February 2009 01:42 PM |
pfctl -s info counters don't change | audio | FreeBSD Security | 2 | 16th July 2008 11:01 PM |
flush natd rules | nenduvel | FreeBSD Security | 1 | 3rd May 2008 08:59 PM |