Well, more like:
	pass out on ppp0 all keep state
	block in all

That SHOULD block all incoming packets unless an outgoing packet 
happened to open state for it.


"Gwilym Evans" <meatgroup@dingoblue.net.au> writes:

> Sorry but I just don't see how that would work. It would still pass packets
> due to the default pass rule, wouldn't it? If I were change it to a default
> block rule would this not prevent me from starting sessions in the first
> place?
> 
> If I'm again, off track, what other rules along with this one would I have
> to use? (I'm on a clean slate here with the exception of the map rules for
> ipnat)
> 
> =G
> 
> 
> -----Original Message-----
> From: tech-net-owner@netbsd.org [mailto:tech-net-owner@netbsd.org]On
> 
> 
> Try it the other direction:
> 	pass out on ppp0 all keep state
> 
> --Michael
> 
> "Gwilym Evans" <meatgroup@dingoblue.net.au> writes:
> 
> > Heyas,
> >
> > 	Must say I rather like NetBSD so far, just using (most) of the default
> > setup for a nat through ppp router and I'm just wondering if the following
> > is possible through ip filters (well, it is, I just don't know how :))
> >
> > 	I'm currently using hosts.deny to tell anything incoming to get stuffed
> but
> > of course the port itself still lies open. I'd like a way of making it
> seem
> > like every port is closed to the outside world. I realise that some will
> be
> > left in a filtered state due to nat sessions, that's ok. It's mainly for
> the
> > low numbered service ports.
> >
> > 	FYI- my LAN addys are 192.168.0.x and NIC if is le0. Needless to say my
> > dialup if is ppp0 ;)
> >
> > 	I tried 'block in quick on ppp0 all keep state' but um... I guess I'm a
> > little off track. Had to disable/enable filtering to get my connectivity
> > back :D
> >
> > 	TIA,
> > 	Gwilym.