Adding to my previous post, with

pass in all
pass out all

I can ping out. With the addition of

log in all

No replies are received, and with instead

log out all

I get "no route to host", so the addition of a log rule seems to block
packets instead of just logging them.

This is using version 3.2, as supped 30 Oct, NetBSD 1.3_ALPHA/i386.



> My highly selective and specialised rules :) are:
> 
> % ipfstat -io
> pass out on lo0 from any to any
> pass out on ne0 from any to any
> pass out on ne1 from any to any
> log out on ne0 from any to any
> pass in on lo0 from any to any
> pass in on ne0 from any to any
> pass in on ne1 from any to any
> log in on ne0 from any to any
> 
> and I included the following options in my kernel:
> 
> options	IPFILTER
> options	IPFILTER_LOG
> options	IPFILTER_DEFAULT_BLOCK
> 
> Network interfaces and routes come up correctly. If I disable ipf with
> -D I can ping/ftp etc from that machine out, but not when it is
> enabled. Then I get "no route to host". DEFAULT_BLOCK stops any
> packets that don't match the rules, but I don't see what they might
> be.
> 
> Can anyone shed some light on this?
> 
> Cheers,
> 
>  Patrick
>