Re: family inet and parameter stateful | npf.conf

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: family inet and parameter stateful | npf.conf
From: Darrel <levitch%iglou.com@localhost>
Date: Tue, 17 Jul 2012 11:06:08 -0400 (EDT)

Darrel <levitch%iglou.com@localhost> wrote:

On my local network, using stateful with inet6 has not been a problem.
Using stateful either in or out has been a problem when trying to use
the 'remote desktop' application to login msft server 2008- where it
is not a problem to login without using the 'stateful' parameter.
Error message:

ERROR: send: Network is unreachable

<...>


<...>
I will also be retesting this configuration immediately to be sure
that the information is all correct.  I think that my problem is
still current as of 'Sat Jul  7 08:13:43 EDT 2012'.

(1) @ 3:20:49> uname -pr
6.0_BETA2 i386


For NPF table and IPv6 support fixes, you need the very latest netbsd-6
branch (or -current).  Can you please update and try again?


Hello Mindaugas,

My NetBSD6 computer is getting today's source for netbsd-6 now. I amseeing lots of code in sys/net/npf/ and usr.sbin/npf/


The system update should occur today.

If the problem still occurs, then can you describe the connection i.e.
what/where exactly is your source and destination?

Just to be sure -- when using "stateful", one should be aware that for
TCP connections the rule should apply for the initiating (SYN) packet.
If, for example, direction is confused and the rule is applied for the
reply (SYN-ACK) packet - connection tracking engine will not try to fix
it up and will eventually time out the state.

The particular server that I had login problems with is okay now, rather Ihave been logged into it for a couple of days. Perhaps I had an extraline in my npf.conf that was causing my problem, but am not certain.Having just begun to use NPF, I made lots of rapid changes and was losingsleep.


So to hopefully further clarify "stateful".  What I am using now:

        pass stateful out final family inet from $if_ext apply "rid"
        pass stateful in family inet to $if_ext

should be changed to:

        pass stateful out final family inet from $if_ext apply "rid"
        pass in family inet to $if_ext

and if this machine perhaps became a web server, then

        pass stateful in final family inet proto tcp to $if_ext port www \
                apply "rid" apply "log"
        pass stateful out final family inet from $if_ext apply "rid"
         pass in family inet to $if_ext

or am I still missing something? I am particularly wondering aboutlogging- is this set up by the user or perhaps have some defaults thatmight not need much tweaking?


Thank you,
Darrel

Follow-Ups:
- Re: family inet and parameter stateful | npf.conf
  - From: Mindaugas Rasiukevicius

References:
- family inet and parameter stateful | npf.conf
  - From: Darrel
- Re: family inet and parameter stateful | npf.conf
  - From: Mindaugas Rasiukevicius
- Re: family inet and parameter stateful | npf.conf
  - From: Darrel
- Re: family inet and parameter stateful | npf.conf
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: Is ldX @ sdmmc supposed to be r/o only?
Next by Date: build.sh and -x
Previous by Thread: Re: family inet and parameter stateful | npf.conf
Next by Thread: Re: family inet and parameter stateful | npf.conf
Indexes:

Home | Main Index | Thread Index | Old Index