# How to clobber (drop) connections on FreeBSD?



## Chris_H (Mar 4, 2014)

Greetings,
 I used to use sysutils/tcplist, an extension/interface to sysutils/lsof for listing the current connections to any of my servers. However, it hasn't worked correctly for a year, or two; emits:

```
# tcplist 
lsof: unknown -s protocol: "li"
lsof 4.88
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abChKlnNoOPRtUvV] [+|-c c] [+|-d s] [+|-D D] [+|-f[cfgGn]]
 [-F [f]] [-g [s]] [-i [i]] [-k k] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.
tcplist: Can't get lsof output header
```
Anyway, I've attempted to gather similar information from lsof(1) itself. But I'm unable to get PID numbers, so as to drop the unwanted/abusive hosts/connections. While it's nice to simply add them (offending IP's) to pf.conf(5). That won't drop the current connection(s). Any thoughts how I might accomplish this?

Thank you for all your time, and consideration.

--Chris


----------



## Chris_H (Mar 4, 2014)

Well, the closest thing I could find was sockstat(1). But it doesn't account for "hanging" connections made earlier, before it was run. Sad. We get a lot of attempts to abuse our mail server. The
foreign connection is made to the mail server, and holds the connection open, in an effort to pipeline mail (SPAM) into our mail server, or to "deflect" it to other (more vulnerable) servers/clients. Pitty, seems we'll just have to let our sockets get filled with/by abusive servers/clients. Uptime will then have to be limited, because the only way to clear those "dangling" connections, will be to "bounce" the server(s). Or possibly bring the all the network services down, followed by the network interfaces. Not very elegant, or ideal. 

--Chris


----------



## SirDice (Mar 4, 2014)

Chris_H said:
			
		

> While it's nice to simply add them (offending IP's) to pf.conf(5). That won't drop the current connection(s). Any thoughts how I might accomplish this?


Have a look at the -k option of pfctl(8). With it you can kill states, effectively cutting off a connection.


----------



## kpa (Mar 4, 2014)

You need some kind of packet filter like pf(4) to do this. UNIX networking code wasn't designed to be able to kill arbitrary connections at will, it's a product of those "happy days" when all peers were trusted and you didn't have to worry about spam/(D)DoS etc.


----------



## Chris_H (Mar 4, 2014)

SirDice said:
			
		

> Chris_H said:
> 
> 
> 
> ...


Gah! I'm ashamed of myself. I _should_ have already known that from my current, and lenghy use of it (pf()).
Thank you @SirDice for pointing that out. I don't know whether to be angry at you for catching
me on that, or thankful you gave me the answer. 

Thanks again, @SirDice. *Greatly* appreciated! 

--Chris


----------

