Christoph Kaegi
2014-06-23 11:42:37 UTC
Dear List
I am beginning to play with IPv6 and am also considering
switching from ipfilter to npf.
After reading the documentation at netbsd.org and the
manpage, I don't understand, why this doesnt work:
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF port ssh
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
(ssh SYN packets get blocked and appear on npflog0)
... while this ruleset works: (same ruleset without 'port ssh')
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
Am I doing something wrong or is there a bug?
Thanks
Chris
I am beginning to play with IPv6 and am also considering
switching from ipfilter to npf.
After reading the documentation at netbsd.org and the
manpage, I don't understand, why this doesnt work:
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF port ssh
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
(ssh SYN packets get blocked and appear on npflog0)
... while this ruleset works: (same ruleset without 'port ssh')
---------------------------- 8< ----------------------------
$EXTIF = ifnet(vr0)
procedure "log" {
log: npflog0
}
group (name "external", interface $EXTIF) {
pass stateful in final family inet proto tcp to $EXTIF
pass stateful out final all
block all apply "log"
}
group (default) {
pass final on lo0 all
block all
}
---------------------------- 8< ----------------------------
Am I doing something wrong or is there a bug?
Thanks
Chris
--
----------------------------------------------------------------------
Christoph Kaegi ***@msw.ch
---------------------------------------------------------------------
----------------------------------------------------------------------
Christoph Kaegi ***@msw.ch
---------------------------------------------------------------------