Re: Packet Filtering

[Robert Swindells <rjs%fdy2.co.uk@localhost>]

John Nemeth wrote:
>On Feb 13,  3:22am, Robert Swindells wrote:
>} 
>} What is the recommended way of doing packet filtering in
>} NetBSD-current ?
>
>     -current as of what date, and what version?  And, are both
>userland and the kernel from the same date?

I am running -current as of this afternoon now, kernel and userland
match. I was running a version from the same time yesterday when
I wrote the first email.

>} I have tried IPF, PF and NPF, and can't get any of them to work
>} properly.
>
>     PF seems to be essentially unmaintained and is getting a little
>long in the tooth.  IPF recently had a major update.  NPF is, of
>course, new.

I know, I was asking for suggestions on what was working for other
people.

>} I just want to run NAT on IPv4 and to block everything except a small
>} list of ports from outside on both IPv4 and IPv6, I can't believe this
>} is all that unusual.
>
>     I would expect either IPF or NPF to work well for this.  However,
>depending on exactly what the date of your kernel is, you may have
>caught one or both of them when they were in a state of flux.  PF
>should certainly be able to handle IPv4, but I don't know if it handles
>IPv6.  However, given that it is essentially unmaintained, I don't
>think I would depend on it.

There does seem to be PF support for IPv6, we are using this on project
machines so I would hope that it worked correctly.

>} I have native IPv6, so both protocols are using the same external
>} interface if that makes a difference.
>
>     It shouldn't.

>} PF allows traffic from outside to connect to sshd, even though I have
>} not opened up that port. It also randomly hangs up connections and
>} generates "in_cksum: out of data" errors on the firewall machine,
>} Google seems to cause this the most often.
>
>     Sounds like you shouldn't be using PF then.

I have switched back to IPF.

It would still be nice to be able to prevent access to ports from outside.

>} NPF generates a core dump if I run "npfctl show" and locks up
>} completely afterwards.
>
>     I remember seeing a bug report about this.  You might just need to
>update your system to get it fixed.

The core dump problem has been fixed by rmind today.

I guess part of my point was that we have just released NetBSD-6.0,
are people who install it or upgrade to it from NetBSD-5 going to have
similar problems to me ?

IPF seems reliable but the syntax of the configuration file is, to me,
a lot harder to use than those of PF and NPF. The examples for IPF
have also not been updated for 5.1.1.

Robert Swindells