On 18 April 2014 16:29, Tristan PILAT <tristan.pi...@gmail.com> wrote:
> 2014-04-18 10:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > > > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <tristan.pi...@gmail.com>: > > > >> > >> > >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <cje...@diehard.n-r-g.com > > > >> wrote: > >> >You can't use rtlabels for matching the source, at least I think it > >> >does > >> >not work. I would try to use the "set pftable dos" in bgpd and > >> >"block quick drop from <dos>" in pf. > >> > >> Ok i will try this tomorrow thanks. But if it does not work. How can I > >> set up blockhole based on source address as described in RFC5635 with > >> OpenBSD ? > >> -- > >> Tristan > >> > > > > Me again. > > > > This slide from a presentation by Henning Brauer is very interesting... > > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html > > > > i'm keep digging :-) > > -- > > Tristan > > > > Thanks Claudio, I just tested it and it works with "set pftable dos" in > bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a > small thing. In my lab i tried this, sending icmp, and it works only if i > stop the ping command and i relaunch it. I mean, if i'm pinging an IP > address and set the "bgpctl network add..." it don't hang ping. > > How can I stop the flow immediatly with PF ? > > Sounds like your traffic is matching an existing state which is why it's still passing. Look at pfctl manpage, and more specifically the -k switch. Marios > -- > Tristan
