> Seriously, why aren't you using NPF? NPF is the packet filter that is actually > being developed on and for NetBSD.
I'm not familiar with it. On freebsd I use ipfw, with rules that first one wins. On pf I know that the last one wins. Cannot be so sure reading npf howto. My bet is that the last wins too. I made a little investigation and seems that I could change from pf to npf. The pf rules: set skip on lo block in all block out all pass out on usmsc0 proto { tcp, udp, icmp } from any to any modulate state pass in on usmsc0 proto tcp from any to any port ssh My version of /etc/npf.conf sounds like this: group "eth" on usmsc0 { block all pass stateful out final all pass stateful in final proto tcp to usmsc0 port ssh } group default { pass final on lo0 all block all } So far, I'm confused about having to drop secure level to -1 to load module for pf or npf. Gonna try that as my very next step. Thanks all for help and best regards Zoran