Re: Packet Filtering

To: Robert Swindells <rjs%fdy2.co.uk@localhost>
Subject: Re: Packet Filtering
From: matthew sporleder <msporleder%gmail.com@localhost>
Date: Sun, 28 Oct 2012 12:19:59 -0400

On Sun, Oct 28, 2012 at 11:15 AM, Robert Swindells <rjs%fdy2.co.uk@localhost> 
wrote:
>
> What is the recommended way of doing packet filtering in
> NetBSD-current ?
>
> I have tried IPF, PF and NPF, and can't get any of them to work
> properly.
>
> I just want to run NAT on IPv4 and to block everything except a small
> list of ports from outside on both IPv4 and IPv6, I can't believe this
> is all that unusual.
>
> I have native IPv6, so both protocols are using the same external
> interface if that makes a difference.
>
> IPF seemed to work ok until the update to 5.1.1. After this I was
> unable to get IPv6 to work while still blocking most IPv4 ports.
>
> PF allows traffic from outside to connect to sshd, even though I have
> not opened up that port. It also randomly hangs up connections and
> generates "in_cksum: out of data" errors on the firewall machine,
> Google seems to cause this the most often.
>
> NPF generates a core dump if I run "npfctl show" and locks up
> completely afterwards.
>
> Robert Swindells

It might be helpful to see some of your rules and help fix your ipf or
pf issues.

I believe npf should still be considered experimental.

Matt

Follow-Ups:
- Re: Packet Filtering
  - From: rjs

References:
- Packet Filtering
  - From: Robert Swindells

Prev by Date: Packet Filtering
Next by Date: Re: Packet Filtering
Previous by Thread: Packet Filtering
Next by Thread: Re: Packet Filtering
Indexes:

Home | Main Index | Thread Index | Old Index