Subject: Re: New NetBSD user - using ipfilter
To: Gwilym Evans <>
From: Manuel Bouyer <>
List: tech-net
Date: 01/20/2001 15:03:02
On Sat, Jan 20, 2001 at 08:22:12PM +1100, Gwilym Evans wrote:
> Sorry but I just don't see how that would work. It would still pass packets
> due to the default pass rule, wouldn't it? If I were change it to a default
> block rule would this not prevent me from starting sessions in the first
> place?
> If I'm again, off track, what other rules along with this one would I have
> to use? (I'm on a clean slate here with the exception of the map rules for
> ipnat)

I think you just need:

pass out on ppp0 all keep state
block in on ppp0 all

Because outgoing connections have been recorded by the first rule, they're not
blocked by the second.

Now, with this you'll only have TCP connections working. You may want to let
UDP and ICMP pass in, so that ping and DNS works. So maybe something like this
is better:
pass out on ppp0 all keep state
pass in quick on ppp0 proto icmp from any to any
pass in quick on ppp0 proto udp from any port = domain to any port > 1024
block in quick on ppp0 all

The second rule allows icmp messages to come in.
The third allows UDP packets comming from port 'domain' ( = 53) to any
non-privileged port (this is for DNS).

For more details you may want to look at /usr/share/examples/ipf, and various
documents and FAQ on

Manuel Bouyer <>