From IPF to NPF...

To: NetBSD User Maillist <netbsd-users%NetBSD.org@localhost>
Subject: From IPF to NPF...
From: BERTRAND Joël <joel.bertrand%systella.fr@localhost>
Date: Sat, 27 Aug 2016 17:22:44 +0200

	Hello,

I'm converting a running IPF configuration into new NPF subsystem on agateway running NetBSD 7.0.1.


	My configuration is :
wm0 : LAN (192.168.10.0/24 + IPv6)
wm1 : WAN (192.168.15.14 IPv4 only)
tap0 : tap tunnel to an IPv6 broker (firewall is on openvpn server).

	My /etc/npf.conf is now :
$lan_if = "wm0"
$wan_if = "wm1"
$tap_if = "tap0"

# Outgoing NAT
map $wan_if dynamic 192.168.10.0/24 -> 192.168.15.14

group "wan" on $wan_if {
        # ICMP
        pass in final family inet4 proto icmp all
        pass out final family inet4 proto icmp all

        # NTP
        pass stateful out final family inet4 from $wan_if \
			to any port ntp

        # OpenVPN
        pass in final family inet4 proto udp from 213.41.149.211 \
                        to $wan_if port openvpn
        pass out final family inet4 proto udp from $wan_if \
                        to 213.41.149.211 port openvpn

        # ssh
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port ssh
        pass stateful in final family inet4 proto tcp \
			from 213.41.150.218 \
                        to $wan_if port 2222
        pass stateful in final family inet4 proto tcp \
			from 213.41.149.211 \
                        to $wan_if port 2222

        # http/https
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port http
        pass stateful out final family inet4 proto tcp from $wan_if \
                        to any port https

        # DNS
        pass stateful out final family inet4 from $wan_if \
			to any port domain

        # NAT
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port http
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port https
        pass stateful out final family inet4 proto tcp \
                        from 192.168.10.0/24 to any port ssh
        pass stateful out final family inet4 \
                        from 192.168.10.0/24 to any port ntp

	# icmp nat doesn't work as expected
        pass stateful out final family inet4 proto icmp \
                        from 192.168.10.0/24 to any

        # Default
        block final all
}

group "tap" on $tap_if {
        pass final all
}

group "lan" on $lan_if {
        pass final all
}

group default {
        pass final on lo0 all
        block all
}

All but ICMP run as expected. Indeed, from LAN side, I'm unable to pinga server on WAN side :


Root riemann:[~] > ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.10.128 icmp_seq=1 Destination Host Unreachable
From 192.168.10.128 icmp_seq=2 Destination Host Unreachable
From 192.168.10.128 icmp_seq=3 Destination Host Unreachable
^C

Of course, from gateway :
legendre# ping 8.8.8.8
PING google-public-dns-a.google.com (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=15.510645 ms
^C

	I suppose I have done a mistake, but I'm unable to find it. Any idea ?

	Best regards,

	JKB

Follow-Ups:
- Re: From IPF to NPF...
  - From: Christos Zoulas

Prev by Date: Re: Proxy server, mode intercept on NetBSD 7.0.1
Next by Date: Re: From IPF to NPF...
Previous by Thread: Result: upgradiong from 2.0 to 7.0
Next by Thread: Re: From IPF to NPF...
Indexes:

Home | Main Index | Thread Index | Old Index