Block a single connection with npf

To: netbsd-users <netbsd-users%NetBSD.org@localhost>
Subject: Block a single connection with npf
From: Rocky Hotas <rockyhotas%firemail.cc@localhost>
Date: Sat, 12 Dec 2020 17:13:01 +0100

Hello!
In npf.conf(5), the group defining the rules for the LAN interface
$if_mylan of my gateway is as follows:

group "internal" on $if_mylan {
        pass in all
        pass out all

        block stateful out family inet4 proto tcp from <not_nice_host> to <target_address> port 443
}

I would like $if_mylan to be essentially a transparent interface, for
any traffic from and to the internet, except in one case.

A host inside the LAN, with IP <not_nice_host>, often sends data to
<target_address>, port 443, through a TCP connection. I would like to
block this stream, without affecting any other connection between the LAN
and the internet. I would like that, when the data arrives from
<not_nice_host> to $if_mylan, it is blocked.

I tried as above, adding a `block' line. But this seems not to have any
effect (at least, observing the stream for several seconds on iftop,
after having updated /etc/npf.conf and launched `npfctl reload').

Is the order of the rules wrong? Or something else?

Bye!

Rocky

Follow-Ups:
- Re: Block a single connection with npf
  - From: Greg Troxel
- Re: Block a single connection with npf
  - From: Rocky Hotas

Prev by Date: Re: Speed up unbundling of hg bundles
Next by Date: Re: Block a single connection with npf
Previous by Thread: Speed up unbundling of hg bundles
Next by Thread: Re: Block a single connection with npf
Indexes:

Home | Main Index | Thread Index | Old Index