flush states pfctl
I am currently using scripts to load a daypf.conf and nightpf.conf
at night people are allowed to use torrents etc.
so when I enable daypf.conf I would like to flush all connections made (connections to trackers etc although they are not allowed by new pf.conf)
do the states get flushed by disabling and enabling pfctl with another pf.conf?
I googled this and read man page:
pfctl -F all
when I do this, pfctl clears all states but my putty console hangs. this is probably due to my state being flushed too.
pfctl -F all
pfctl -e -f /etc/pf.conf
is this the correct way to do it?
pfctl -d pfctl -F all pfctl -e -f /etc/pf.conf
The first line disables pf. I would not do that. You could just load the new rules and let the existing states/connections terminate naturally.
You will probably say that this would be OK for the transition of the tight, "no torrents during the day" rules to the relaxed rules at night., but not for the night -> day transisiton.
Somebody could start a few torrents and the because of not flushing the states these connections would continue during the day.
For the night->day transition you could bring a temporary third pf.conf into play. One that simply blocks all traffic. That way you do not have a time frame where pf is not enabled.
# day to night, don't flush states, let them terminate naturally pfclt -v /etc/pf-night.conf # night to day # do not allow new connections pfctl -vf block-all.pf # flush the states pfctl -F all # load the restrictive day rules pfctl -vf pf-day.conf
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
|Thread||Thread Starter||Forum||Replies||Last Post|
|pf flush persist file||ijk||FreeBSD Security||5||3rd February 2009 01:42 PM|
|pfctl -s info counters don't change||audio||FreeBSD Security||2||17th July 2008 12:01 AM|
|flush natd rules||nenduvel||FreeBSD Security||1||3rd May 2008 09:59 PM|