Re: Packet Filtering

To: "matthew sporleder" <msporleder%gmail.com@localhost>
Subject: Re: Packet Filtering
From: rjs%fdy2.co.uk@localhost
Date: Sun, 28 Oct 2012 18:15:43 -0000 (GMT)

matthew sporleder wrote:
> On Sun, Oct 28, 2012 at 11:15 AM, Robert Swindells <rjs%fdy2.co.uk@localhost> 
> wrote:
>>
>> What is the recommended way of doing packet filtering in
>> NetBSD-current ?
>>
>> I have tried IPF, PF and NPF, and can't get any of them to work
>> properly.
>>
>> I just want to run NAT on IPv4 and to block everything except a small
>> list of ports from outside on both IPv4 and IPv6, I can't believe this
>> is all that unusual.
>>
>> I have native IPv6, so both protocols are using the same external
>> interface if that makes a difference.
>>
>> IPF seemed to work ok until the update to 5.1.1. After this I was
>> unable to get IPv6 to work while still blocking most IPv4 ports.
>>
>> PF allows traffic from outside to connect to sshd, even though I have
>> not opened up that port. It also randomly hangs up connections and
>> generates "in_cksum: out of data" errors on the firewall machine,
>> Google seems to cause this the most often.
>>
>> NPF generates a core dump if I run "npfctl show" and locks up
>> completely afterwards.
>>
>> Robert Swindells
>
> It might be helpful to see some of your rules and help fix your ipf or
> pf issues.

I have copied them to my home directory on homeworld.

> I believe npf should still be considered experimental.

Sure, I was just getting fed up with the unreliability of pf and thought
I would give it a try.

Robert Swindells

References:
- Packet Filtering
  - From: Robert Swindells
- Re: Packet Filtering
  - From: matthew sporleder

Prev by Date: Re: Packet Filtering
Next by Date: Re: Packet Filtering
Previous by Thread: Re: Packet Filtering
Next by Thread: Re: Packet Filtering
Indexes:

Home | Main Index | Thread Index | Old Index