Feature #11556
closed
Kill states using the pre-NAT address
Added by Yuri Weinstein over 3 years ago.
Updated 10 months ago.
Plus Target Version:
24.03
Description
Assume you have an external IP XXX
And an OpenVPN net 192.168.200.0/0
After OpenVPN client connects it gets an IP 192.168.200.2
Now let's use States to see and kill all states for 192.168.200.2
There are lots of states look like this:
WAN tcp XXX:49313 (192.168.200.2:62472) -> <some_IP>:443 TIME_WAIT:TIME_WAIT 84 / 108 6 KiB / 129 KiB
And they don't get killed.
Expected - all states associated with 192.168.200.2 killed, or there is an option to select all and allow kill.
Files
- Subject changed from Kill all states associated with an host IP NET address to Kill all states associated with a NAT address
- Category changed from NAT Reflection to Rules / NAT
Correcting the category and subject
The ask here is for a way to kill based on the NAT address in the state instead of the source or destination.
I can confirm this is currently an issue.
- Related to Feature #12807: Clear Active Secondary WAN Connections added
- Related to Bug #13226: Disconnecting a user from Captive Portal may allow previously established connections to continue added
- Assignee set to Reid Linnemann
- Tracker changed from Bug to Feature
- Subject changed from Kill all states associated with a NAT address to Kill states using the pre-NAT address
- Status changed from New to Feedback
- Assignee changed from Reid Linnemann to Marcos M
- Target version set to 2.8.0
- Plus Target Version set to 24.03
- Assignee changed from Marcos M to Kristof Provost
Please also see scenario:
killing states when a pass rule with a schedule expires:
- Status changed from Feedback to In Progress
Hi Chris,
It's not clear to me what the problem is in comment 9. Is that state not getting killed when you'd expect it to be?
If so, what version are you testing? Can you describe the entire scenario (i.e. how the state was established, and why it was expected to be killed)?
It is killing the LAN side but not the WAN side.
It was an ssh session on a rule with a schedule.
When the schedule expires, the LAN session is killed but not the WAN. This is an additional scenario to those listed here:
killing states for the previous IP when the WAN IP changes
killing states for locked out clients (sshguard or captive portal)
killing states to the gateway when resetting dpinger / gateway monitoring
killing filtered and specific states in Diagnostics > States
I don't think there needs to be anything more done to the pf. I think it might just be that -k nat needs to be added to the php in that case. But that's just a guess on my part.
- Assignee changed from Kristof Provost to Marcos M
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by