Packet Filtering

To: tech-net%netbsd.org@localhost
Subject: Packet Filtering
From: Robert Swindells <rjs%fdy2.co.uk@localhost>
Date: Sun, 28 Oct 2012 15:15:00 +0000 (GMT)

What is the recommended way of doing packet filtering in
NetBSD-current ?

I have tried IPF, PF and NPF, and can't get any of them to work
properly.

I just want to run NAT on IPv4 and to block everything except a small
list of ports from outside on both IPv4 and IPv6, I can't believe this
is all that unusual.

I have native IPv6, so both protocols are using the same external
interface if that makes a difference.

IPF seemed to work ok until the update to 5.1.1. After this I was
unable to get IPv6 to work while still blocking most IPv4 ports.

PF allows traffic from outside to connect to sshd, even though I have
not opened up that port. It also randomly hangs up connections and
generates "in_cksum: out of data" errors on the firewall machine,
Google seems to cause this the most often.

NPF generates a core dump if I run "npfctl show" and locks up
completely afterwards.

Robert Swindells

Follow-Ups:
- Re: Packet Filtering
  - From: Darren Reed
- Re: Packet Filtering
  - From: John Nemeth
- Re: Packet Filtering
  - From: matthew sporleder

Prev by Date: Re: Introducing NPF in NetBSD 6.0
Next by Date: Re: Packet Filtering
Previous by Thread: Re: Introducing NPF in NetBSD 6.0
Next by Thread: Re: Packet Filtering
Indexes:

Home | Main Index | Thread Index | Old Index