Re: Packet Filtering

[jnemeth%victoria.tc.ca@localhost (John Nemeth)]

On Feb 13,  3:22am, Robert Swindells wrote:
} 
} What is the recommended way of doing packet filtering in
} NetBSD-current ?

     -current as of what date, and what version?  And, are both
userland and the kernel from the same date?

} I have tried IPF, PF and NPF, and can't get any of them to work
} properly.

     PF seems to be essentially unmaintained and is getting a little
long in the tooth.  IPF recently had a major update.  NPF is, of
course, new.

} I just want to run NAT on IPv4 and to block everything except a small
} list of ports from outside on both IPv4 and IPv6, I can't believe this
} is all that unusual.

     I would expect either IPF or NPF to work well for this.  However,
depending on exactly what the date of your kernel is, you may have
caught one or both of them when they were in a state of flux.  PF
should certainly be able to handle IPv4, but I don't know if it handles
IPv6.  However, given that it is essentially unmaintained, I don't
think I would depend on it.

} I have native IPv6, so both protocols are using the same external
} interface if that makes a difference.

     It shouldn't.

} PF allows traffic from outside to connect to sshd, even though I have
} not opened up that port. It also randomly hangs up connections and
} generates "in_cksum: out of data" errors on the firewall machine,
} Google seems to cause this the most often.

     Sounds like you shouldn't be using PF then.

} NPF generates a core dump if I run "npfctl show" and locks up
} completely afterwards.

     I remember seeing a bug report about this.  You might just need to
update your system to get it fixed.

}-- End of excerpt from Robert Swindells