2014-04-18 16:34 GMT+02:00 Marios Makassikis <mmakassi...@gmail.com>:
> > > > On 18 April 2014 16:29, Tristan PILAT <tristan.pi...@gmail.com> wrote: > >> 2014-04-18 10:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: >> >> > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <tristan.pi...@gmail.com>: >> > >> >> >> >> >> >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker < >> cje...@diehard.n-r-g.com> >> >> wrote: >> >> >You can't use rtlabels for matching the source, at least I think it >> >> >does >> >> >not work. I would try to use the "set pftable dos" in bgpd and >> >> >"block quick drop from <dos>" in pf. >> >> >> >> Ok i will try this tomorrow thanks. But if it does not work. How can I >> >> set up blockhole based on source address as described in RFC5635 with >> >> OpenBSD ? >> >> -- >> >> Tristan >> >> >> > >> > Me again. >> > >> > This slide from a presentation by Henning Brauer is very interesting... >> > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html >> > >> > i'm keep digging :-) >> > -- >> > Tristan >> > >> >> Thanks Claudio, I just tested it and it works with "set pftable dos" in >> bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a >> small thing. In my lab i tried this, sending icmp, and it works only if i >> stop the ping command and i relaunch it. I mean, if i'm pinging an IP >> address and set the "bgpctl network add..." it don't hang ping. >> >> How can I stop the flow immediatly with PF ? >> >> > Sounds like your traffic is matching an existing state which is why it's > still passing. > Look at pfctl manpage, and more specifically the -k switch. > > Yes it works with pfctl -k. Now I need to find a way to use "flush" in pf.conf to kill the states.
