NPF is blocking some of the outgoing traffic

To: "netbsd-users%netbsd.org@localhost" <netbsd-users%netbsd.org@localhost>
Subject: NPF is blocking some of the outgoing traffic
From: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Date: Sun, 23 Nov 2025 10:34:00 +0000

Hi, I'm trying to understand why NPF is blocking some of the outgoing
traffic. I'm filtering on axen0 interface, which is connected directly
to the Internet router.

NPF log tells me some outgoing traffic is getting blocked:

# tcpdump -tttt -enr /var/log/npflog0.pcap
2025-11-23 10:11:19.767533 rule 10.rules.0/0(match): block out on axen0: 10.0.0.2.58650 > 142.251.168.188.5228: Flags [.], ack 3910863993, win 501, options [nop,nop,TS val 1445442954 ecr 1238116412], length 0

However I have a stateful NPF rule, which should permit all such
traffic. Any ideas?

# npfctl show
# filtering:    active
# config:       loaded

procedure "log"

map axen0 dynamic any -> 192.168.1.1 pass family inet4 from 10.0.0.0/16 # id="1" 

group "external" on axen0 { # id="1" 
        pass stateful out final all # id="2" 
        pass in final family inet4 proto tcp from 192.168.1.0/24 to 192.168.1.1 port 53 # id="3" 
        pass in final family inet4 proto udp from 192.168.1.0/24 to 192.168.1.1 port 53 # id="4" 
        block in final all apply "log" # id="5" 
}

group "internal" on mue0 { # id="6" 
        pass final all # id="7" 
}

group default { # id="8" 
        pass final on lo0 all # id="9" 
        block final all apply "log" # id="a" 
}

Prev by Date: Need to find packages for NetBSD 1.5.2
Previous by Thread: Need to find packages for NetBSD 1.5.2
Indexes:

Home | Main Index | Thread Index | Old Index