Aw: [ext] Re: NPF and port forwarding?

To: "David Brownlee" <abs%netbsd.org@localhost>
Subject: Aw: [ext] Re: NPF and port forwarding?
From: "Mirko Thiesen" <Thiesi%Tuebingen.MPG.de@localhost>
Date: Thu, 28 Nov 2019 22:05:20 +0100

[...]
> > map wm3 dynamic $wm3_ip 2222 <- $wm3_ip port 22
> >
> > did not exactly yield the desired results (i. e. it did nothing). Any ideas what I'm missing here?
>
> Does including proto tcp help?
>
> map wm3 dynamic proto tcp $wm3_ip port 2222 <- $wm3_ip port 22

It makes no difference, unfortunately. This is the resulting rule with "proto tcp" specified:

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto tcp to 51.77.xxx.yyy port 22 # id="1"

And without it looks like that:

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto { tcp, udp } to 51.77.xxx.yyy port 22 # id="1"

(Don't worry about the wm7 instead of wm3 - I just switched around network cards.)

To me, the latter looks *exactly* like what I want. However, it's just not working. Is there maybe a general NPF configuration option I could be missing? Or even a kernel config option?

FWIW, this is my active ruleset:

(21:51:42) root@Roanoke:/etc # npfctl show
# filtering:    active
# config:       loaded

table <blacklist> type hash
table <suspicious> type tree
table <whitelist> type hash

procedure "norm"
procedure "log"

map wm7 dynamic 51.77.xxx.yyy port 2222 <- any pass family inet4 proto { tcp, udp } to 51.77.xxx.yyy port 22 # id="1"

group # id="1"
        pass final on lo0 all # id="2"
        ruleset "blacklistd-ext" all # id="3"
        block in final from <blacklist> # id="4"
        block in final from <suspicious> # id="5"
        pass stateful in final flags S/FSRA from <whitelist> apply "log" # id="6"
        pass out final all # id="7"
        pass in final all # id="8"

As you can see, it's pretty much stripped down. I got rid of all other rules in order to debug this particular issue.

(22:03:26) root@Roanoke:/etc # npfctl table "blacklist" list
177.66.200.38
(22:03:35) root@Roanoke:/etc # npfctl table "suspicious" list
(22:03:41) root@Roanoke:/etc # npfctl table "whitelist" list

The one IP address in the "blacklist" table is not the one I'm connecting from.

> I'm doing something very similar but using a different target IP.

Yes, all the examples I could dig up do indeed forward incoming connections not just to a different port but also to a different IP address.

Mirko
--
|Mirko Thiesen    "We're with you all the way, mostly"|
|http://www.BIHealth.org/     Phone: +49 30 450-570763|
| B e r l i n   I n s t i t u t e   o f   H e a l t h |

References:
- NPF and port forwarding?
  - From: Thiesi

Prev by Date: Re: NPF and port forwarding?
Next by Date: Re: NPF and port forwarding?
Previous by Thread: Re: NPF and port forwarding?
Indexes:

Home | Main Index | Thread Index | Old Index