On 2013-02-07, Martijn van Duren <martijn...@gmail.com> wrote: > Thanks for all the quick responses, but if I understand you all > correctly there is no way to cut off an established connection by adding > an ip address to a blocked table, so I'm still left with my two stage > drop off the connection (both adding the the ip to the table and killing > the connection manually).
Correct because the state table is checked *before* packets run through the firewall ruleset.
