Re: NPF does not recognize npflog0

[Pongthep Kulkrisada <ptkrisada%gmail.com@localhost>]

Thanks for your response,
And sorry if my reply is too long...

* Tomas Bodzar (tomas.bodzar%gmail.com@localhost) wrote:
> > But one question remains pertaining to ping.
> >     pass final on $ext_if family inet proto icmp icmp-type echo code 0 all
> > With the rule above, I cannot ping anywhere.
> > In order to ping, I must put this line instead.
> >     pass final on $ext_if family inet proto icmp all
> > I am also using PF as it previously was the only packet filter for me on 
> > NBSD.
> > With PF-equivalence to the former, the machine is pingable both directions
> > (to and from the machine).
> > Why is it different from NPF?
> 
> What is code 0 here?
> Eg. on pf http://home.nuug.no/~peter/pf/eurobsdcon2012/letpingthru.html
Please see https://calomel.org/pf_config.html; this sample specifies ``code''.
OpenBSD pf.conf(5) man page states icmp-type <type> code <code>.
NetBSD npf.conf(5) man page also mentions...
proto-opts    = "icmp-type" type [ "code" icmp-code ]
``code'' can be found in 
http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xml.
But note that even if I omit ``code 0'', i.e.
    pass final on $ext_if family inet proto icmp icmp-type echo all
ping is still not working.
(The way too long to ping6, which requires icmp6-type.)
But I am not worried.
    pass final on $ext_if family inet proto icmp all
    pass final on $ext_if6 family inet6 proto ipv6-icmp all
do it all for me. :-)

My pf.conf has been being used for long. I just cannot recall everything.
But it always works pretty fine.

BTW, what about npflog0 in my previous posts?
Is it unsupported in the current version of NPF?

Lastly, this is my latest results. (see my /etc/npf.conf below)
    1. ping rule works fine (both direction to and from my machine).
    2. http rule works fine i.e. other machines in local network can access
       web server resided in my machine and all outbound traffics allowed.
    3. ssh rule works fine (both direction to and from my machine).
   *4. ftp to my machine works fine.
       But my machine CANNOT ftp to ftpd on the other machines.
       During ftp, I can login, cd, pwd but cannot get, mget or even ls.
So only two questions remain i.e. npflog0 and ftp (out).
Any suggestions are highly appreciated.

Here's my full /etc/npf.conf
Note that I don't like to put ``final'' every rule.
Most of my config was excerpted from /usr/share/examples/npf/host-npf.conf.

$ext_if = "pcn0"

$services = { ftp, ssh }

$localnet = { 192.168.1.0/24 }

procedure "log" {
#   log: npflog0    # seems unsupported, so simply blank it
}

procedure "norm" {
    normalise: "random-id"
}

group (name "external", interface $ext_if) {
    pass in final proto tcp to $ext_if port $services apply "log"
    pass in final proto tcp from $localnet to $ext_if port http apply "log"
    pass in final proto tcp to $ext_if port 49151-65535    # Passive FTP
    pass in final proto udp to $ext_if port 33434-33600    # Traceroute
    pass final on $ext_if family inet proto icmp all       # Ping
    pass stateful out final family inet proto tcp flags S/SA from $ext_if apply 
"norm"
    pass out final family inet proto tcp from $ext_if apply "norm"
    pass stateful out final family inet from $ext_if apply "norm"
}

group (default) {
    pass final on lo0 all
    block all apply "log"
}

Thanks,
-- 
Pongthep Kulkrisada
 
"UNIX is basically a simple operating system,
but you have to be a genius to understand the simplicity."
-- Dennis M. Ritchie