Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th January 2010
joostvgh joostvgh is offline
Port Guard
Join Date: Jan 2010
Posts: 38
Default flush states pfctl


I am currently using scripts to load a daypf.conf and nightpf.conf
at night people are allowed to use torrents etc.

so when I enable daypf.conf I would like to flush all connections made (connections to trackers etc although they are not allowed by new pf.conf)

do the states get flushed by disabling and enabling pfctl with another pf.conf?

I googled this and read man page:

pfctl -F all
when I do this, pfctl clears all states but my putty console hangs. this is probably due to my state being flushed too.

my script:
pfctl -d
pfctl -F all
pfctl -e -f /etc/pf.conf

is this the correct way to do it?
Reply With Quote
  #2   (View Single Post)  
Old 27th January 2010
Simon Simon is offline
Port Guard
Join Date: Jan 2010
Posts: 30

i think you need also to flush tables (if you use it in your ruleset) :
pfctl -t <tablename> -T flush
Reply With Quote
  #3   (View Single Post)  
Old 27th January 2010
wesley wesley is offline
Real Name: Wesley
Shell Scout
Join Date: Aug 2009
Location: Reunion Island
Posts: 91
Default flush

Read man pages of pfctl !
Reply With Quote
  #4   (View Single Post)  
Old 27th January 2010
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,517

pfctl -d
pfctl -F all
pfctl -e -f /etc/pf.conf
Interesting problem, I never had to deal with something like this

The first line disables pf. I would not do that. You could just load the new rules and let the existing states/connections terminate naturally.

You will probably say that this would be OK for the transition of the tight, "no torrents during the day" rules to the relaxed rules at night., but not for the night -> day transisiton.
Somebody could start a few torrents and the because of not flushing the states these connections would continue during the day.

For the night->day transition you could bring a temporary third pf.conf into play. One that simply blocks all traffic. That way you do not have a time frame where pf is not enabled.

# day to night, don't flush states, let them terminate naturally
pfclt -v /etc/pf-night.conf

# night to day
# do not allow new connections 
pfctl -vf block-all.pf
# flush the states
pfctl -F all
# load the restrictive day rules
pfctl -vf pf-day.conf
But I must admit that I am not really sure whether this is the best approach
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf flush persist file ijk FreeBSD Security 5 3rd February 2009 01:42 PM
pfctl -s info counters don't change audio FreeBSD Security 2 16th July 2008 11:01 PM
flush natd rules nenduvel FreeBSD Security 1 3rd May 2008 08:59 PM

All times are GMT. The time now is 12:28 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick