# PF don't drop connections



## BernardoCR (Jan 19, 2011)

Hello,

I have a firewall configured to have a table with IPs that should be blocked and dropped.

But when I use tcptrack, I can see all the connections:


```
189.41.221.78:57042   67.43.230.251:7004    SYN_SENT     14s    0 B/s
 189.60.153.48:64299   67.43.230.251:7004    SYN_SENT     3s     0 B/s
 189.41.221.78:57091   67.43.230.251:7004    SYN_SENT     8s     0 B/s
 189.60.153.48:64311   67.43.230.251:7004    SYN_SENT     1s     0 B/s
 189.41.221.78:57013   67.43.230.251:7004    SYN_SENT     26s    0 B/s
 189.60.153.48:64274   67.43.230.251:7004    SYN_SENT     12s    0 B/s
```

and a lot more.

This should be dropped, but even with the rules I have my server sends the SYN.

The rule that seems not to be working is:


```
block drop in quick on $externa from <vlwc>
```

Shouldn't it drop the connections from the IPs, as soon as they connect to the server?

I don't know if I am doing something wrong.


----------



## BernardoCR (Jan 19, 2011)

*continues*


```
antispoof quick for $externa inet

table <sshbf> persist
table <vlwc> persist
table <www> persist

# ACESSO A TUDO (BERNARDO)
pass in quick on $externa inet proto { tcp,udp,icmp } from 201.86.64.72 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 201.86.64.72 synproxy state

block in  all
block out all

# ACESSO AO MIBBIT
pass in quick on $externa inet proto { tcp,udp,icmp } from 207.192.75.252 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 207.192.75.252 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 64.62.228.82 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 64.62.228.82 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 109.169.29.95 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 109.169.29.95 synproxy state
pass in quick on $externa inet proto { tcp,udp,icmp } from 78.129.202.38 to any synproxy state
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 78.129.202.38 synproxy state

block drop in quick on $externa from <sshbf>
block drop in quick on $externa from <vlwc>
block drop in quick on $externa from <www>

block drop in quick on $externa proto { tcp,udp } from 201.62.188.29 to any
block drop in quick on $externa proto { tcp,udp } from any to 67.43.226.174

pass in quick on $externa inet proto { tcp,udp } from any to any port 1935
pass out quick on $externa inet proto { tcp,udp } from any to any port 1935

pass in quick on $externa inet proto { tcp,udp,icmp } from 187.112.66.222 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 187.112.66.222

# SELENA
pass in quick on $externa inet proto { tcp,udp,icmp } from 189.107.20.189 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 189.107.20.189

pass in quick on $externa inet proto { tcp,udp,icmp } from 72.20.41.159 to any
pass out quick on $externa inet proto { tcp,udp,icmp } from any to 72.20.41.159
```


----------



## SirDice (Jan 19, 2011)

BernardoCR said:
			
		

> But when I use tcptrack, I can see all the connections:
> 
> 
> ```
> ...


No, all you are seeing is the machine itself sending the SYN packet. Even when it's blocked by the firewall the application/OS will still send out a SYN. Because it's blocked this SYN packet will get silently dropped by the firewall and never reach it's destination. The application/OS however doesn't know this and will wait for the SYN-ACK until it times out. If you really want to "kill" the connection you'll need to return a RST packet. The application/OS will receive the RST and tear down the connection attempt.


```
block return-rst in quick on $externa inet proto tcp from <vlwc>
```

Obviously this only works for TCP connections. For UDP you'll need to return an ICMP port unreachable.


----------

