Re: problem with interfaces (correction)

[Ezequiel Reyes Aragon <ezequiel%ecaribe.co.cu@localhost>]

What I am trying to do is to create an internal virtual network 
10.0.0.0/24 of virtual netbsd pcs, with one of them acting as gateway. I 
configured npf on this gateway, but rules, as explained in the net 
(http://www.netbsd.org/~rmind/npf/#_introduction) have changed compared 
to rules as explained in the npf.conf man page. I use map in the npe 
firewall to get any 10.0.0.x outgoing packet converted to 192.168.100.9 
(the ip of the external interface in the netbsd gateway), the problem is 
with the rules, if I declare rules like this (see below), all works, and 
I can for instance telnet my real network mail server on port 25 either 
from the gateway or any other netbsd in the virtual lan:

# allow any internal trafic
group (name "internal" interface $int_if) {
  pass all
}

group (name "in" interface $ext_if, in) {
  pass all
}


group (name "out" interface $ext_if, out) {
  pass all
}

group (default) {
  block all
}

but of course, the idea is to limit the trafic to and from the ouside 
world, so I try to put something (just a test) like:

pass statefull final proto tcp from 10.0.0.2 to any port 25

in the "out" group but it does not work. I even used any to any port 25 
but nothing short of pass all seems to work. How would a rule to let my 
internat postfix server reach an external mail server look like?
How can I activate logging on npf? I have some experience with openbsd's 
pf, but npf not only uses a different dev log device, it needs a new 
kernel module, I think.
thanks