[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netbsd-users
Subject:    Re: NPF ruleset not blocking IPs
From:       Emile `iMil' Heitor <imil () home ! imil ! net>
Date:       2022-06-05 9:30:04
Message-ID: 3ef36d5a-c042-cf84-4f1d-f595afd6e27b () home ! imil ! net
[Download RAW message or body]

On Fri, 3 Jun 2022, Emile `iMil' Heitor wrote:


> As the rules in the ruleset are declared as "final", I presume the default
> `pass all` is not reached, am I right?

So, no, I was wrong. Changing the order made the rules apply. I simply removed
the "external" group and inserted the ruleset before the pass all:

group default {
         pass final on lo0 all
         pass stateful out final all

         ruleset "blacklistd"
         block in final from <blacklist>

         pass all

         block in family inet6 all
         pass proto ipv6-icmp all
         pass stateful in family inet6 proto tcp to any port $tcp_allowed
         pass stateful in family inet6 proto udp to any port $udp_allowed
}


------------------------------------------------------------------------
Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net

[prev in list] [next in list] [prev in thread] [next in thread]