Dear List
I am beginning to play with IPv6 and am also considering
switching from ipfilter to npf.
After reading the documentation at netbsd.org and the
manpage, I don't understand, why this doesnt work:
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF port ssh
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
(ssh SYN packets get blocked and appear on npflog0)
... while this ruleset works: (same ruleset without 'port ssh')
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
Am I doing something wrong or is there a bug?
Thanks
Chris
--
----------------------------------------------------------------------
Christoph Kaegi k...@msw.ch
---------------------------------------------------------------------
