stateful npf

To: netbsd-users%netbsd.org@localhost
Subject: stateful npf
From: Patrick Welche <prlw1%cam.ac.uk@localhost>
Date: Wed, 28 Mar 2018 12:43:59 +0100

On a toy -current/amd64 system with internal wm0 and external wm1:

# npfctl show
# filtering:    active
# config:       loaded

procedure "log"

group "ext" on wm1 # id="1" 
        pass in final family inet6 proto ipv6-icmp # id="2" 
        pass out final family inet6 proto ipv6-icmp # id="3" 
        pass in final family inet4 proto icmp # id="4" 
        pass stateful in final family inet4 proto tcp flags S/SA to 192.168.25.65 port 80 apply "log" # id="5" 
        block all # id="6" 

group "int" on wm0 # id="7" 
        pass all # id="8" 

group # id="9" 
        pass final on lo0 all # id="a" 
        block all # id="b" 


If I

  telnet 192.168.25.65 80

I see the connection into ext_if with flag S, but nothing is returned.
Shouldn't the "stateful"ness allow a reply? (Connecting via int_if
works, so the httpd is happy.)


Cheers,

Patrick

Follow-Ups:
- Re: stateful npf
  - From: Patrick Welche

Prev by Date: Re: Disable daylight savings
Next by Date: TCP Timestamp Vulnerability
Previous by Thread: Disable daylight savings
Next by Thread: Re: stateful npf
Indexes:

Home | Main Index | Thread Index | Old Index