NPF: newbie experiencing some strange behavior

To: NetBSD Users Mailing List <netbsd-users%netbsd.org@localhost>
Subject: NPF: newbie experiencing some strange behavior
From: "g.lister" <g.lister%nodeunit.com@localhost>
Date: Tue, 17 Jun 2014 21:17:24 +0200

Hello guys,

I am trying to setup a gateway for a small home network using NetBSD andafter buying and reading "The book of PF (2ed)" I saw a fewpresentations on NPF and its multi-threaded design and the fact that itwill be NetBSD's default firewall and decided to use that instead of PF.

BTW is NPF really going to be the only firewall/packet filter supportedin future releases??

Currently I have setup a bunch of net service (named, dhcp, nat) andmanaged to get all necessary NPF modules loaded (npf, npf-log, ...) butI seem to be having some kind of a newbie issue or experiencing somekind of a bug/problem.


Here is a small take out from what is happening:

gkpr# npfctl show
Filtering:      active
Configuration:  loaded

table <1> type hash


group (name "internal_net", interface wm0) {
        block in all
        pass in final from <1>
        pass stateful in final proto tcp to 192.168.1.18 port 40200 apply "log"
        pass out final all
}

group (default) {
        pass final on lo0 all
        block all
}
gkpr# npfctl table 1 list
192.168.1.7
192.168.1.11
192.168.1.15
192.168.1.19
192.168.1.8
192.168.1.12
192.168.1.16
192.168.1.20
192.168.1.1
192.168.1.5
192.168.1.9
192.168.1.13
192.168.1.17
192.168.1.2
192.168.1.6
192.168.1.10
192.168.1.14
192.168.1.18
127.0.0.1
gkpr# host yahoo.com localhost
;; connection timed out; no servers could be reached
gkpr# /etc/rc.d/npf stop
Disabling NPF.
gkpr# host yahoo.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

yahoo.com has address 98.138.253.109
yahoo.com has address 98.139.183.24
yahoo.com has address 206.190.36.45
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
gkpr#

I think the 'pass final on lo0 all' should be quick-evaluated (nofurther rule processing should be done) and connectivity to the localnamed server should not be an issue... the snippet is straight from theexamples.

I tried playing around with different settings in the config removingstuff and adding stuff to see which might be the offending definition asmy intentions and setup are quite detailed so I simplified to what Ithink are bare bones and as soon as I turn NPF on things don't worknetwork wise.


Any hints or ideas are welcome!
Thanks in advance.
Kind regards,
george

Follow-Ups:
- Re: NPF: newbie experiencing some strange behavior
  - From: J. Lewis Muir

Prev by Date: Re: openbsd -> netbsd : same yet feels different ...
Next by Date: Re: email management under netbsd : any simple strategies?
Previous by Thread: email management under netbsd : any simple strategies?
Next by Thread: Re: NPF: newbie experiencing some strange behavior
Indexes:

Home | Main Index | Thread Index | Old Index