NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pf -> npf



Hello,

   I have a minimal npf installation on a host which works fine, but now
I want to move my router to netbsd-7 with npf.  After some trial and
error I realize I need some assistance.

   The basic layout is:
   - re0 is the external connection to the ISP.  The IP is assigned
using dhcpcd.
   - wm0; 192.168.72.0/24 network
   - wm1; 192.168.92.0/24 network
   - wm2; 192.168.124.0/24 network

   What I want to accomplish is to allow incoming ssh on re0, but that's
the only allowed incoming connection.  All the systems on the wm0, wm1
and wm2 networks should be able to make NAT'ed external connections
through re0.

   The configuration I have allows the wm{0,1,2} systems to access the
router (nslookup, ping, ssh), but can not make external connections.

---------------------------------------
$ext_if = "re0"
$ext_v4 = inet4(re0)

$int_if = "wm0"
$media_if = "wm1"
$wifi_if = "wm2"

$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }

map $ext_if dynamic 192.168.72.0/24 -> $ext_v4
map $ext_if dynamic 192.168.92.0/24 -> $ext_v4
map $ext_if dynamic 192.168.124.0/24 -> $ext_v4

procedure "log" {
	log: npflog0
}


group "external" on $ext_if {
	#ruleset "blacklistd"

	# Allow DHCP requests (even to reserved addresses).
	pass out final proto udp from any port bootpc to any port bootps
	pass in final proto udp from any port bootps to any port bootpc
	pass in final proto udp from any port bootps to 255.255.255.255 port bootpc

	# Allow DNS queries
	pass stateful out final proto udp to any port domain

	# Block IANA-reserved addresses from entering or exiting
	block in final from $private_addr apply "log"
	block out final to $private_addr apply "log"

	pass stateful out final proto tcp all
	pass stateful out final proto udp all
	pass stateful out final proto icmp all

	# Prevent IP spoofing attacks on the firewall
	block in final from 127.0.0.1 apply "log"

	# Services
	pass in final proto tcp to any port ssh apply "log"

	# Only allow selected ICMP types
	pass in final proto icmp icmp-type echo all apply "log"
	pass in final proto icmp icmp-type timxceed all
	pass in final proto icmp icmp-type unreach all
	pass in final proto icmp icmp-type echoreply all
	pass in final proto icmp icmp-type sourcequench all
	pass in final proto icmp icmp-type paramprob all
	pass in final proto ipv6-icmp all
}

group "internal" on $int_if {
	# Pass everything to internal networks,
	pass final all apply "log"
}

group "media" on $media_if {
	# Pass everything to media networks,
	pass final all apply "log"
}

group "wifi" on $wifi_if {
	# Pass everything to wifi networks,
	pass final all apply "log"
}

group default {
	# Loopback interface should allows packets to traverse it.
	pass final on lo0 all

	# Block everything by default.
	block final all apply "log"
}
---------------------------------------

   In addition to not being able to make outbound connections from the
systems on the wm* interfaces, the router can not be ping:ed from
Internet (using a laptop+mobile) (No logs are generated on npflog0 when
I try to ping the router).

   ... help?

-- 
Kind regards,
Jan Danielsson



Home | Main Index | Thread Index | Old Index