netbsd-users: help, ipf not blocking inbound from subnet

Subject: help, ipf not blocking inbound from subnet
To: None <netbsd-users@netbsd.org>
From: Ben Collver <collver@peak.org>
List: netbsd-users
Date: 11/20/2005 06:48:18
Hello,

I am running a NetBSD 2.x router and am having trouble with ipf.
I have two networks on separate physical segments.  I tried to use an
ipf rule to block 10.0.10.0/24 from reaching 10.0.11.0/24, except for
TCP port 22.  The details follow, but it did not work.  What am I doing
wrong?

router# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1

router# ifconfig rtk1
rtk1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:05:5d:53:d9:d4
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.11.1 netmask 0xffffff00 broadcast 10.0.11.255

router# ifconfig vr0
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:50:ba:ab:2f:7b
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255

router# ipfstat -i | head -3
block in quick on rtk0 from 10.0.0.0/8 to any
block in quick on rtk0 from 127.0.0.0/8 to any
block in quick on vr0 from any to 10.0.11.0/24 port != 22


host# ifconfig tlp0
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:04:5a:52:84:65
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 10.0.10.3 netmask 0xffffff00 broadcast 10.0.10.255
        inet6 fe80::204:5aff:fe52:8465%tlp0 prefixlen 64 scopeid 0x1

host# netstat -nr | head -9
Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  Interface
default            10.0.10.1          UGS         1      181      -  tlp0
10.0.10/24         link#1             UC          1        0      -  tlp0
10.0.10.1          00:50:ba:ab:2f:7b  UHLc        1       10      -  tlp0
127/8              127.0.0.1          UGRS        0        0  33196  lo0
127.0.0.1          127.0.0.1          UH          1        0  33196  lo0

host# ping -n -c 5 10.0.11.12
PING 10.0.11.12 (10.0.11.12): 56 data bytes
64 bytes from 10.0.11.12: icmp_seq=0 ttl=254 time=0.654 ms
64 bytes from 10.0.11.12: icmp_seq=1 ttl=254 time=0.529 ms
64 bytes from 10.0.11.12: icmp_seq=2 ttl=254 time=0.531 ms
64 bytes from 10.0.11.12: icmp_seq=3 ttl=254 time=0.611 ms
64 bytes from 10.0.11.12: icmp_seq=4 ttl=254 time=0.542 ms

----10.0.11.12 PING Statistics----
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.529/0.573/0.654/0.056 ms