netbsd-help: Question about IPFilter and local connections being refused.

Subject: Question about IPFilter and local connections being refused.
To: None <netbsd-help@netbsd.org>
From: Sean J. Schluntz <schluntz@workofstone.com>
List: netbsd-help
Date: 04/09/2002 11:07:21
I have the following rules (at end of message) setup on a NetBSD/sparc 1.5.2
system (with the kernel set to default drop).  It can connect out to other
systems with out a problem (even systems it has to go through the gateway
for) and other systems can connect in to the box on the ports that are
open.

The problem is that I can't connect to any of the ports locally, if I
try:

telnet localhost 110
  or
telnet 10.0.0.110 110

I get the following error:

telnet: Unable to connect to remote host: No route to host

Which confuses me, the routes are there (the local IP address is 10.0.0.110):

  $ netstat -rn
  Routing tables
 
  Internet:
  Destination        Gateway            Flags     Refs     Use    Mtu  Interface
  default            10.0.0.100         UGS         0        1   1500  le0
  10/24              link#1             UC          3        0   1500  le0
  10.0.0.1           00:a0:cc:3b:90:af  UHLc        1       80   1500  le0
  10.0.0.100         00:00:c0:5e:b3:0b  UHLc        1        0   1500  le0
  10.0.0.110         08:00:20:77:06:12  UHLc        0        1   1500  lo0
  127                127.0.0.1          UGRS        0        0  33228  lo0
  127.0.0.1          127.0.0.1          UH          2        1  33228  lo0

I've tried going so far as to add:
  pass in quick on lo0 proto tcp from any to any
  pass in quick on le0 proto tcp from 10.0.0.110/32 to 10.0.0.110/32

to the /etc/ipf.conf file but it doesn't help.  The system works just fine
when the firewall is not loaded.

Does anyone have any ideas as to what I'm doing wrong?  I've looked through
the lists, and see mention of this kind of error but I don't see any 
responces.

Thanks for your help!
-Sean

/etc/ipf.conf

  # Block all traffic if it not now allowed below
  block in on le0 all
   
  # Allow the system to act as an Internet client
  pass out quick on le0 proto tcp from 10.0.0.110/32 to any keep state
  pass out quick on le0 proto udp from 10.0.0.110/32 to any keep state
  pass out quick on le0 proto icmp from 10.0.0.110/32 to any keep state
   
  # Allow inbound ssh connections
  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 22 keep state
   
  # Allow inbound smtp connections
  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 25 keep state
   
  # Allow inbound DNS connections
  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 53 keep state
  pass in quick on le0 proto udp from any to 10.0.0.110/32 port = 53 keep state
   
  # Allow inbound pop3(s) connections
  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 110 keep state
  #pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 995 keep state
 
  # Allow inbound imap(s) connections
  pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 143 keep state
  #pass in quick on le0 proto tcp from any to 10.0.0.110/32 port = 993 keep state