State Killing Buttons on State Table Have Strange Behavior
-
pfctl isn't smart enough to kill just one state by port, when you use the "x" button it kills all states between the IP addresses it lists when you mouseover. If it's a state with NAT applied, the kill is between your public IP address and the remote destination IP address which could catch quite a lot if you have multiple connections going there.
-
Also the "filter" feature has no effect on the "x" behavior. It does not limit that in any way. It only filters the output.
-
It's the "kill" button (versus the 'x') that's being questioned though. But it seems (from my limited knowledge on viewing this) that 'x' and 'kill' call the same thing.
https://github.com/pfsense/pfsense/blob/master/usr/local/www/diag_dump_states.php
edit: Kill is for all states for the 'filtered' IPโฆ. 'x' is for states with the src and dst IP?
-
Yes, kill button kills all states TO and FROM the filtered IP address (or a subnet works there also) โ however the filtering and kill behavior would differ slightly since pfctl interprets that as an IP address explicitly while filter would match a substring/partial. So a kill for x.x.x.10 would only kill states to/from x.x.x.10 but filter would also show you states for x.x.x.100, 101, 102, and so on.
The 'x' button will tell you exactly what it will do on mouseover. It lists the IP addresses and it kills all states between those two addresses. Which ones it shows depends on the type of state.
-
You know, I think I have come across this too. I could be wrong.
Every now and then I check my state table for folks trying to hammer my Windows RDP machine. I'll add their IP to an alias rule and kill their table states. This used to work fine on v2.1.x. Now when I kill the table states and hit the filter button, the connections keep showing up like your video shows.
-
Something else to try is enter x.x.x.x/32 and kill that, see if the behavior changes. you'll have to take off the /32 for filtering to work though.
-
Previously I would filter by port using "3389" for RDP. Then hit the X's to kill the connections. I tried using the IP this time so that the "kill" button showed. That seemed to legitimately kill the connections. Hitting the filter button again(and even waiting for a bit) produced no connections popping back up as established. So the X buttons not doing their job?
-
I think I see the source of what you described there. The source and destination are backwards for some states. Ones that look like this:
1.1.1.1:443 <- 10.0.6.20:56835That's source 10.0.6.20, dest 1.1.1.1. When you hover over the X to the right, it shows the opposite of that. Then when you hit the X to kill it, it kills the opposite direction, which doesn't exist. So only states with the direction as -> worked.
I just fixed that.
https://redmine.pfsense.org/issues/4907You know, I think I have come across this too. I could be wrong.
This used to work fine on v2.1.x.It's always had this issue, dating back to the introduction of that feature. You just happened to be getting the states in the other direction instead when it previously worked.
-
Awesome, thanks Chris!
-
Also fixed IPv6 individual state killing, which had never worked at all, while I was there.
https://redmine.pfsense.org/issues/4906
