On 2017-04-06, <bytevolc...@safe-mail.net> <bytevolc...@safe-mail.net> wrote: > On Wed, 5 Apr 2017 22:44:54 +0000 (UTC) > Stuart Henderson <s...@spacehopper.org> wrote: > >> On 2017-04-05, <bytevolc...@safe-mail.net> >> <bytevolc...@safe-mail.net> wrote: >> > I've been using a trick to emulate scheduled rules using IP >> > tables. >> >> Nice trick. Anchors are also good for this. >> >> But don't forget that active connections won't be dropped unless you >> also flush the relevant states. >> > > Anchors do not work with securelevel=2. This trick works in > securelevel=2.
Oh, people actually use that? :) > As for active connections, the goal here is to prevent new connections > being made after closing time. I don't want my connection to close just > because it is a few seconds after closing time, especially when I > already got in before the ports were closed. It may be worth closing > long-standing connections eventually though. > > Maybe something like this: > > 0 18 * * * * root /sbin/pfctl -F states > > If it's given as an example for something, it's definitely important to point out about active connections. -F states will kill the "wanted" states too, I use pfctl -k to knock out just the relevant hosts.
