Solved PF - Can't block abusive IP

mariourk · Nov 19, 2015

Hi,

I have a problem with a certain IP-address generating a lot of traffic over IMAPS from my mailserver to said IP-adrress.

iftop:

Code:

abusive.ip.com:51634 => my.mailserver.com:imaps 342Kb   326Kb   376Kb
                     <=                         9.87Mb  9.76Mb  9.34Mb

So I figured I better block this IP with PF, which looks like this:

Code:

table <villains> { 77.169.197.6 }

Some NAT and rdr rules.

block in quick from <villains> to any
block out quick from any to <villains>

I figured this would terminate any traffic to or from this IP. But for some reason, it keeps going. When I monitor the traffic with iftop, I don't see it go away.

To test these rules, I added an IP from an external VPN I have. And surely, I wasn't able to connect anymore. So, the rule does work. But why does the flow of outgoing traffic not stop?

SirDice · Nov 19, 2015

Loading new rules does not remove existing states. So it's possible they already had a connection. As long as that connection stays active the state does too. Find the exact state and kill it.

aupanner · Nov 19, 2015

As SirDice said, PF rules only block NEW connections.

Code:

pfctl -k 77.169.197.6

DutchDaemon · Nov 19, 2015

Look into tcpdrop(8) and/or the -k/-K flag of pfctl(8).

mariourk · Nov 19, 2015

I guess it was this active connection thing. I didn't know pf didn't catch those. So, good to know. And good to know I can use tcpdrop to kill future unwanted connections.

In the meantime, the problem went away. Probably because the existing connection ended and a new one couldn't be created. Because this time, pf did it's thing.

Thanks guys :beer:

Solved PF - Can't block abusive IP

mariourk

SirDice

Administrator

aupanner

DutchDaemon

Administrator

mariourk