On Fri, 3 Jun 2022, Emile `iMil' Heitor wrote:
As the rules in the ruleset are declared as "final", I presume the default `pass all` is not reached, am I right?
So, no, I was wrong. Changing the order made the rules apply. I simply removed the "external" group and inserted the ruleset before the pass all: group default { pass final on lo0 all pass stateful out final all ruleset "blacklistd" block in final from <blacklist> pass all block in family inet6 all pass proto ipv6-icmp all pass stateful in family inet6 proto tcp to any port $tcp_allowed pass stateful in family inet6 proto udp to any port $udp_allowed } ------------------------------------------------------------------------ Emile `iMil' Heitor <imil@{home.imil.net,NetBSD.org}> | https://imil.net