Re: NPF does not recognize npflog0

[Tomas Bodzar <tomas.bodzar%gmail.com@localhost>]

On Fri, Nov 2, 2012 at 6:33 AM, Pongthep Kulkrisada 
<ptkrisada%gmail.com@localhost> wrote:
> * Darrel (levitch%iglou.com@localhost) wrote:
>> It is beyond my scope, Pongthep.  :(
>>
>> Years ago when I used Packet Filter on NetBSD it required lkm, but I
>> really do not recall much about it.
>>
>> With so many problems on that particular machine, I would consider
>> installing anew at this point.
> I now have NPF up and running on 6.0_STABLE (i386),
> In my test, it has not recognized npflog0 and icmp6-type.
> (/etc/rc.d/npflog* script is not there anyway.)
> Commenting out these lines, it now WORKS.
> I think it still has a few bugs.
>
> pass stateful out final family inet proto tcp flags S/SA from $ext_if apply 
> "norm"
> pass out final family inet proto tcp from $ext_if apply "norm"
> pass stateful out final family inet from $ext_if apply "norm"
>
> These lines are placed at the bottom of the interface group. (last rule wins)

Maybe you want to read this
http://www.feyrer.de/NetBSD/bx/blosxom.cgi/nb_20121017_2254.html
Word final means final so that any other rules for such a traffic are
not consulted.

> But it doesn't work as expect.
> I did not ``block'' anything except for default group.
> It still blocks all initiated outbound traffics.
> The previous ``pass in'' in the same interface group work pretty fine.
> At least httpd and sshd can be accessed from the other machines.
> Maybe I'm wrong somewhere. I'm checking.
>
> Thanks,
> --
> Pongthep Kulkrisada
>
> "UNIX is basically a simple operating system,
> but you have to be a genius to understand the simplicity."
> -- Dennis M. Ritchie