Re: npf config

To: Nils Ratusznik <nils.netbsd%anotherhomepage.org@localhost>
Subject: Re: npf config
From: George Georgalis <george%galis.org@localhost>
Date: Tue, 27 Dec 2016 14:40:05 -0800

Hi Nils,

Thanks, that was it....

-George

On Tue, Dec 27, 2016 at 1:39 AM, Nils Ratusznik
<nils.netbsd%anotherhomepage.org@localhost> wrote:
>
>
> ----- Le 23 Déc 16, à 5:55, George Georgalis george%galis.org@localhost a écrit :
>
>> Hi -
>>
>> Maybe I've been looking at this too long...
>> can someone tell me why this npf.conf
>> is not providing gw service to 10.0.0.0/24
>> via 10.0.0.1, the wm0 interface? The npf
>> host has fully functional gw via a wm1
>> interface on the 10.0.1.0/24 network.
>>
>> # npfctl show
>>
>> # filtering:    active
>> # config:       loaded
>>
>> procedure "log"
>> map wm1 dynamic any -> 10.0.1.1 pass family inet4 from 10.0.0.0/24
>> group "external" on wm1
>>        pass stateful out final family inet4 from 10.0.0.0/24
>>        pass stateful out final all
>>        pass stateful in final family inet4 proto tcp flags S/FSRA to
>> 10.0.1.1 port 22
>> group "internal" on wm0
>>        block return-icmp in all
>>        pass in final family inet4 from 10.0.0.0/24
>>        pass out final all
>> group
>>        pass final on lo0 all
>>        pass final on wm0 all
>>        block return-icmp all
>>
>> # ifconfig -a |grep -E '(^wm|inet )' | grep -v 127.0
>>
>> wm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
>> wm1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
>>
>> # netstat -finet -anr | grep -E '(link|default)'
>>
>> default            10.0.1.1           UGS         -        -      -  wm1
>> 10.0.1/24          link#2             UC          -        -      -  wm1
>> 10.0.0/24          link#1             UC          -        -      -  wm0
>>
>> Hosts on the 10.0.0.0/24 network configured to use the npf
>> host as gw can reach the npf "external" 10.0.1.1 wm0 interface,
>> but nothing else on 10.0.1.0/24 or beyond. What's missing?
>
> Hi George,
>
> Is IP forwarding enabled ? You can check this with this command :
> $ sysctl net.inet.ip.forwarding
>
> A value of 0 means it's disabled, a value of 1 means it's enabled.
>
> You can enable it quickly with the following command :
> # sysctl -w net.inet.ip.forwarding=1
>
> If you want this setting to be permanent, add the following line to /etc/sysctl.conf :
> net.inet.ip.forwarding=1
>
> You can find more informations on sysctl and sysctl.conf here :
> http://netbsd.gw.com/cgi-bin/man-cgi?sysctl
> http://netbsd.gw.com/cgi-bin/man-cgi?sysctl.conf
>
> Hope it helps,
>
> --
> Nils Ratusznik
> https://linuxfr.org
> http://blog.anotherhomepage.org



-- 
George Georgalis, (415) 894-2710, http://www.galis.org/

References:
- npf config
  - From: George Georgalis
- Re: npf config
  - From: Nils Ratusznik

Prev by Date: Re: mysql ssl error
Next by Date: Xorg vs Wayland (and MIR?) - future for NetBSD X ?
Previous by Thread: Re: npf config
Next by Thread: Please share your experiences with NetBSD on MacBook Pros
Indexes:

Home | Main Index | Thread Index | Old Index