Re: NPF ruleset not blocking IPs

To: netbsd-users%NetBSD.org@localhost
Subject: Re: NPF ruleset not blocking IPs
From: Emile `iMil' Heitor <imil%home.imil.net@localhost>
Date: Sun, 5 Jun 2022 11:30:04 +0200 (CEST)

On Fri, 3 Jun 2022, Emile `iMil' Heitor wrote:

As the rules in the ruleset are declared as "final", I presume the default
`pass all` is not reached, am I right?


So, no, I was wrong. Changing the order made the rules apply. I simply removed
the "external" group and inserted the ruleset before the pass all:

group default {
        pass final on lo0 all
        pass stateful out final all

        ruleset "blacklistd"
        block in final from <blacklist>

        pass all

        block in family inet6 all
        pass proto ipv6-icmp all
        pass stateful in family inet6 proto tcp to any port $tcp_allowed
        pass stateful in family inet6 proto udp to any port $udp_allowed
}


------------------------------------------------------------------------
Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net

References:
- NPF ruleset not blocking IPs
  - From: Emile `iMil' Heitor

Prev by Date: Re: Option -p in apropos(1)
Next by Date: Keybord seems to be attached to ttyE0 after wdm starts
Previous by Thread: NPF ruleset not blocking IPs
Next by Thread: Keybord seems to be attached to ttyE0 after wdm starts
Indexes:

Home | Main Index | Thread Index | Old Index