NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: stateful npf



Don't `block in all` here:

On 18-Apr-2018 13:06:37, Patrick Welche wrote:
group "ext" on wm0 {
 block in all
 pass stateful in proto tcp flags S/SA from any to 10.168.5.4 port 80
}

Instead do that here:

group default {
 pass all
}

I.e:

```
group "ext" on wm0 {
 pass stateful in proto tcp flags S/SA from any to 10.168.5.4 port 80
}

group default {
 block in all
}
```

I'm new to npf (so take advice with a pinch of salt), but I ran into a similar issue when converting to it. The rules should flow through so `default` only gets hit if no other rules before it match so blocking there is fine.

Home | Main Index | Thread Index | Old Index