> As I understand it the following rules allow my intranet access to the
> world:
> pass out        quick   on ippp0 proto tcp/udp  from 192.168.1.0/8 to any
> keep state
> pass out        quick   on ippp0 proto icmp     from 192.168.1.0/8 to any
> keep state
> 
> and I would expect these rules to allow my router access but unfortunately
> they don't.
> pass out        quick   on ippp0 proto tcp/udp  from 127.0.0.1/32 to any
> keep state
> pass out        quick   on ippp0 proto icmp     from 127.0.0.1/32 to any
> keep state
> 
> Is there a possibility to trace the rule processing for packages by the
> firewall? ipfstat -t show passing packages but gives no hint about blocked
> packages.

I'm not sure that adding the localhost rules is useful here - it's not going
to help for connections to other machines.  Does your router have a `real'
IP address that you need to add?  To look at blocked (or even passed) packets,
you can add a rule:

  block out log on ippp0 from any to any

You could also use something like:

  block out log level local6.info on ippp0 from any to any

and add:

  # IPF logs
  local6.*						/var/log/ipflog

to your /etc/syslog.conf (and restart syslogd).  You'll need to be running
ipmon in order to send the log messages through syslog.

J

-- 
  My other computer also runs NetBSD    /        Sailing at Newbiggin
        http://www.netbsd.org/        /   http://www.newbigginsailingclub.org/