Subject: Re: ipf questions
To: None <>
From: Manuel Bouyer <>
List: netbsd-users
Date: 03/05/2000 15:59:05
On Sat, Mar 04, 2000 at 03:31:02PM -0700, Rick Kelly wrote:
> I would like to use ipfilter on a per-system basis. That is, I would like
> to use ipfilter on single interface systems to block out packets from that
> particular system. Is this possible, or does ipfilter only work for dual
> interface firewall/wouter systems?

No problems doing this, ipfilter can also be used to secure a single-homed
system !

> Also, it looks like ipfilter doesn't actually pick up the rules file at
> boot up, but rather turns on ipfilter while also flushing the rules out
> of the kernel. Is this correct?

The rules are loaded from the /etc/netstart file, and controlled by the
'ipfilter' variable in /etc/rc.conf. It's done this way:
ipf -E -Fa -f /etc/ipf.conf
This will enable ipfilter and flush the existing rules before loading the
new ones. Reading the sources shows that the filter is enabled before
loading the rules, but as it's done before bringing the interfaces up it's
not a big deal.

Manuel Bouyer <>