Advanced port+ip filter question

[szinski]

My server has 4 IP addresses, one of which has come under the "Great Firewall of China" DDoS attack.

For the affected IP address (let's say it's 1.2.3.4), I want to block all port 80 traffic, so I created the following entry in csf.deny:

tcp|in|d=80|d=1.2.3.4

This works but not how I want. For example, I am able to successfully connect to port 80 (telnet 1.2.3.4 80). Then, only after I issue "GET /", do I see an immediate "Connection closed by foreign host."

What I want to see "Connection refused" when I try to connect.

Am I doing something wrong?

[szinski]

Never mind, I'm an idiot. The rule works perfectly... the workstation that I testing from was whitelisted in csf.allow. Doh!