I've been trying, without success, to get ipfilter working under either
NetBSD-current (SUPped yesterday) or NetBSD 1.3.1 on pmax (both on a
DECstation 5000/240 and a DECstation 3100).  In both cases, I've rebuilt
the kernel using "option IPFILTER_LOG" and "pseudo-device ipfilter" in
the config file.  However, I always get a "ioctl(SIOCADDFR): Invalid
argument" on boot up (when ipf is being initialised), and whenever I try
to add new rules using ipf.  The machine behaves as though ipf is not
installed; networking still works properly (due maybe to the default
"pass" behaviour), but without the desired filtering action. 

I would like to get this working, and figure maybe I am just doing
something simple that's wrong.  Has anyone got ipfilter to work under
NetBSD/pmax? 

This is the scenario: my DECstation 3100 at home dials in and connects
to a PPP server in our lab.  I have my PPP set up to demand-dial out,
and to disconnect after 5 minutes of idle time.  Alas, recently, a
Windows NT box has started to send out incessant net chatter (SNMP
status requests), at one minute (and sometimes less) intervals, which
prevents my PPP link ever idling out.

Because I have no need ever to receive traffic from this NT machine, and
because it is the *only* source of unwelcome packets, I thought I would
simply block out that machine using ipfilter on my PPP server.  I figure
a rule along the lines:

	block out quick from 198.82.180.XXX/32 to 198.82.180.YYY/32

on the PPP server would do the trick (where XXX is the NT machine, and
YYY is my 3100).

Alas, I cannot get ipfilter working to do this blocking. :-(

Can anyone help?

Incidentally, could I do the blocking on my DS3100 (e.g. "block in
...")?  Or has the blocked packet already reset the idle timeout before
passing through the filter?

Cheers,

Paul.

e-mail: paul@gromit.dlib.vt.edu

"I didn't mean to take up all your sweet time"
	--- James Marshall Hendrix