# pf does not kill state of offending ip



## robobila (Apr 9, 2010)

hi there,

i am new to pf and i ran into a weird problem. when snort adds a new ip into pf table that is blocked, pf does not kill the state of the offending ip address (which means that the existing connection is not blocked by pf, only new connections will be blocked)

i tried the following rule for that, but i am not sure if it is ok....


```
block quick from <snort2c> to any label "Block snort2c hosts"
    (max-src-conn 100, max-src-conn-rate 15/5, flush)
```

The flush option should kill the state for all existing connections, but i am not sure...
Anyone has any ideas ?

thanks.


----------



## DutchDaemon (Apr 9, 2010)

pf.conf(5)


```
The optional flush keyword kills all states created by the matching rule
     which originate from the host which exceeds these limits.  The [B]global[/B]
     modifier to the flush command kills all states originating from the
     offending host, regardless of which rule created the state.
```


----------



## robobila (Apr 9, 2010)

dutchdaemon,

thanks for your reply...i tried the following rule but it does not work:


```
block quick from <snort2c> to any label "Block snort2c hosts"
    (max-src-conn 100, max-src-conn-rate 15/5, flush)
```

is there another way to kill the state of an existing connection (whose source ip is already in the snort2c table) and blocking an ip at the same time ?


----------



## DutchDaemon (Apr 10, 2010)

That's the exact same rule, no? Anyway, I've never used 'flush' on a block rule, only on pass rules, like:


```
pass in quick on $ext_if inet proto tcp from any to $ext_if port { 25 80 } synproxy state (max-src-conn 40, max-src-conn-rate 40/5, \
overload <bruteforce> flush global)
```


----------



## ohauer (Apr 11, 2010)

robobila said:
			
		

> hi there,
> 
> i am new to pf and i ran into a weird problem. when snort adds a new ip into pf table that is blocked, pf does not kill the state of the offending ip address (which means that the existing connection is not blocked by pf, only new connections will be blocked)




This is exactly what I implemented in in the snortsam pf2 module.
Build snort with snortsam and read the documentation for the pf2 module http://www.snortsam.net/files/docs/README.pf2

Hint if you send traps from snort to a snortsam daemon on localhost

```
# grep fwsam [FILE]/usr/local/etc/snort/snort.conf[/FILE]
output alert_fwsam: 127.0.0.1/foobar
```

then set the following parameter in snortsam.conf

```
# grep -v -e ^#  -e^$ [FILE]/usr/local/etc/snortsam/snortsam.conf[/FILE]
daemon
accept 127.0.0.1/32,  foobar
dontblock 1.2.3.4
dontblock 2.3.4.5
logfile /var/log/snortsam
loglevel 3
[B]disableseqnocheck[/B]
pf2 anchor=snortsam table=block
```

now change your /etc/pf.conf to contain this lines short after the first rule.

```
# filter rules
anchor snortam
load config from "[FILE]/etc/pf.conf.snortsam[/FILE]"
```


```
# [FILE]/etc/pf.conf.snortsam[/FILE]
# tables
table <blockin> persist
table <blockout> persist
# filter rules
block drop in quick log on bge0 from <blockin> to any
block drop in quick log on bge1 from any to <blockout>
```

change the interfaces in /etc/pf.conf.snortsam to mach your interfaces.


----------

