Subject: ipf ipnat and dhclient
To: None <Netbsd-Users@netbsd.org>
From: Roger Fischer <r@aileron.org>
List: netbsd-users
Date: 04/13/2003 20:18:12
OK,  I know that I have to be making this much more difficult than it 
has to be.
I've got a couple of problems.

My configuration works, but I have to set a bunch of things manually 
after boot because it's not working "automagically (tm)".  These 
things may be related, and maybe not.


first of all, I had to set net.inet.ipforwarding=1 in 
/etc/sysctl.conf because it wasn't set by default in the kernel.

But, after boot, there are no NAT rules loaded, and I have to start 
it manually.

	icarus: {3} ipnat -l
	List of active MAP/Redirect filters:
	List of active sessions:

	icarus: {4} /etc/rc.d/ipnat forcestart
	Installing NAT rules ... 0 entries flushed from NAT table

	icarus: {5} ipnat -l
	List of active MAP/Redirect filters:
	map ne2 192.168.0.0/24  -> 0.0.0.0/32  proxy port ftp ftp/tcp
	map ne2 192.168.0.0/24  -> 0.0.0.0/32  portmap auto
	map ne2 192.168.0.0/24  -> 0.0.0.0/32
	List of active sessions:
	icarus: {6}


Second, I'm having trouble with ipf.
Since I have a dynamic IP, I can't set up my filters until after I 
have an IP address.
I tried writing a generic rule set with the word "myip" instead of my 
ip address.
Then in my dhclient-exit-hooks script I use sed to read in my rules, 
and substitute my
ip address for the keyword "myip" then load them into ipf.  The 
problem is it appears
that sed is in /usr/bin which is not yet mounted because I get the 
error "cannot find
/usr/bin/sed".

So, after boot, I load these manually too.  So what do other people 
do for filter rules on boot
without an ip address?  Do you write your rules with the pass in 
"from whatever" but without the "to xx.xx.xx.xx"?
(xx.xx.xx.xx is my ipaddress)


	icarus: {8} ipfstat -i
	empty list for ipfilter(in)
	icarus: {9}


	icarus: {15} /usr/bin/sed "s/myip/24.24.219.147/g" 
/etc/ipf2.conf | ipf -Fa -f -

	icarus: {16} ipfstat -i
	block in on ne2 from any to any
	block in log quick on ne2 from 192.168.0.0/16 to any
	block in log quick on ne2 from 172.16.0.0/12 to any
	block in log quick on ne2 from 10.0.0.0/8 to any
	block in log quick on ne2 from 127.0.0.0/8 to any
	block in log quick on ne2 from 0.0.0.0/8 to any
	block in log quick on ne2 from 169.254.0.0/16 to any
	block in log quick on ne2 from 192.0.2.0/24 to any
	block in log quick on ne2 from 204.152.64.0/23 to any
	block in log quick on ne2 from 224.0.0.0/3 to any
	pass in quick on ne2 proto icmp from any to xx.xx.xx.xx/32 
icmp-type echorep
	pass in quick on ne2 proto icmp from any to xx.xx.xx.xx/32 
icmp-type unreach
	pass in quick on ne2 proto icmp from any to xx.xx.xx.xx/32 
icmp-type squench
	pass in quick on ne2 proto icmp from any to xx.xx.xx.xx/32 
icmp-type timex
	block in log quick on ne2 proto icmp from any to any
	pass in quick on ne2 proto tcp from 167.206.187.171/32 to 
xx.xx.xx.xx/32 port = 22 flags S/0xff keep state
	pass in quick on ne2 proto tcp from any to xx.xx.xx.xx/32 
port = 25 flags S/0xff keep state
	pass in quick on ne2 proto tcp from any to xx.xx.xx.xx/32 
port = 80 flags S/0xff keep state
	pass in log quick on ne2 proto udp from 66.75.0.0/16 port = 
67 to any port = 68 keep state
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 21
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 22
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 23
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 53
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 443
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 445
	block return-rst in log proto tcp from any to xx.xx.xx.xx/32 port = 515
	icarus: {17}


Any help is greatly appreciated.
Thanks,
- Roger