Re: family inet and parameter stateful | npf.conf

[Darrel <levitch%iglou.com@localhost>]

On Mon, 16 Jul 2012, Mindaugas Rasiukevicius wrote:

> > On my local network, using stateful with inet6 has not been a problem.
> > Using stateful either in or out has been a problem when trying to use the
> > 'remote desktop' application to login msft server 2008- where it is not a
> > problem to login without using the 'stateful' parameter.  Error message:
> >
> > ERROR: send: Network is unreachable
> >
> > The login screen actually appears and I can enter a password, then the
> > error appears in my 'xterm' window repeatedly until I kill the command.
> > I am using fwmn2.
>
> Can you show your npf.conf ?

Hello Mindaugas,

First I will send my npf.conf, so that you can see it directly.
Please note that it is very basic thus far and you will probably
notice a few parameters which are not even being used at the moment
but rather are placeholders for potential future changes; e.g.,
bce0 is has no cable and it not used yet.  Routing and NAT will be
implemented later, to solve the problem of addresses becoming
scarce.  So the below config file is exactly as it currently exists.

I will also be retesting this configuration immediately to be sure
that the information is all correct.  I think that my problem is
still current as of 'Sat Jul  7 08:13:43 EDT 2012'.

(1) @ 3:20:49> uname -pr
6.0_BETA2 i386

$if_ext = "re0"
$if_int = "bce0"
$local4 =  "64.253.101.228 255.255.255.255"
$svcs_tcp = { http }
$svcs_tcp6 = { http }
$svcs_udp = { domain }
$pftp = { 49151-65535 } # passive ftp, tcp
$tracert = { 33434-33600 } # traceroute, udp
$services6 = { ssh www }

table <1> type hash file "/etc/incite"
#table <2> type hash file "/etc/incite2"
table <3> type hash file "/etc/clients4"
table <4> type hash file "/etc/clients6"
table <5> type tree dynamic

#nat $if_ext  from 10.10.0.0/16 to any -> $if_ext

procedure "log" {
        log:  npflog0
}

procedure "rid" {
        normalise:  "random-id"
}

group (name "external", interface $if_ext) {
        block in final family inet from <1> to $if_ext
        pass out family inet from $if_ext apply "rid"
        pass in family inet to $if_ext
#       pass stateful out final family inet from $if_ext apply
#"rid"
#       pass stateful in family inet to $if_ext
#       pass stateful in family inet from <3> to $if_ext
#       block in final family inet6 from <2> to $if_ext
        pass in final $services6 family inet from <4> to $if_ext
        pass stateful out family inet6 from $if_ext
        pass stateful in family inet6 to $if_ext
#       pass all
}

group (name "internal", interface $if_int) {
        block in all
#       pass in final from <2>
        pass in final all
        pass out final all
}

group (default) {
        pass final on lo0 all
        block all
}

$ cat /etc/incite
# rfc3330; i.e., loopback - antispoof would do it
127.0.0.0 0.255.255.255
# class c
192.168.0.0 255.255.0.0
# class b
172.16.0.0 255.240.0.0
# class a
10.0.0.0 255.0.0.0
# rfc 3927; i.e., autoconfiguration
169.254.0.0 255.255.0.0
# examples
192.0.2.0 255.255.255.0
0.0.0.0 255.0.0.0
240.0.0.0 240.0.0.0
# upnp advertisements:
239.255.255.250 255.255.255.255

$ cat /etc/clients4
the network hosts in subnet mask format

$cat /etc/clients6
a couple of hosts:  fully qualified domain name and dns server serves
inet6 inside with no advertising out.

Kind regards,
Darrel