On Thu, Nov 23, 2017 at 4:37 PM, S. Donaldson <[email protected]> wrote: > I've moved past simple block / allow and am trying to add 'forensic' > rules that generate log data that I can perform some low level analysis > against. I have not found documentation that clearly states that a block rule > such as you suggest: > > block on $int inet > > will also effectively block all non-ip protocols. I assume that it does.
In a router, non-IP protocols are effectively blocked if they are not forwarded. If you are routing then blocking IP is equivalent to blocking everything (unless you have compiled support for other protocols into your kernel). If you are bridging (or doing something very unusual) then you will want instead: block on $int pass on $int inet proto tcp -ken
