NPF issues

To: tech-net%netbsd.org@localhost
Subject: NPF issues
From: Mike Pumford <mpumford%mudcovered.org.uk@localhost>
Date: Sun, 29 Dec 2019 17:46:10 +0000

Got a couple of issues with NPF on my 8.1-STABLE firewall system:

Problem 1
RST frames generated by:
     block return-icmp in final proto udp to any apply "log"
in the external group get blocked by
    block all apply "log"
in the default group.

Problem 2

icmp and icmpv6 frames traverse the firewall but are dropped by thefinal destination host. In particular traceroute and traceroute6responses.

The drop reason as reported by netstat -p icmp on the final nost isinvalid checksum. An additional oddity is that I don't think icmpv6frames were allowed in at all (ie they were ignored by alg-icmp) until Iadded:

    pass in final proto ipv6-icmp all

Doing the same traceroutes on the NPF host itself and the responsesarrive fine. So its something to do with how NPF is delivering them onthe internal interface.


Firewall interfaces are:
wm0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
        capabilities=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
        capabilities=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
        enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
        enabled=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
        enabled=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
        ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
        ec_enabled=0
        address: 00:0d:b9:4a:72:30
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 192.168.1.9/24 broadcast 192.168.1.255 flags 0x0
        inet6 fe80::20d:b9ff:fe4a:7230%wm0/64 flags 0x0 scopeid 0x1
        inet6 2001:8b0:84:1::1/64 flags 0x0

wm2: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1508
        capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
        capabilities=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
        capabilities=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
        enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
        enabled=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
        enabled=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
        ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
        ec_enabled=0
        address: 00:0d:b9:4a:72:32

media: Ethernet autoselect (1000baseTfull-duplex,flowcontrol,master,rxpause,txpause)

        status: active
        inet 192.168.2.10/24 broadcast 192.168.2.255 flags 0x0
        inet6 fe80::20d:b9ff:fe4a:7232%wm2/64 flags 0x0 scopeid 0x3

pppoe0: flags=0x8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        status: active
        inet 81.187.216.64/32 -> 81.187.81.187 flags 0x0
        inet6 2001:8b0:84:1::1/64 ->  flags 0x0
        inet6 fe80::20d:b9ff:fe4a:7230%pppoe0/64 ->  flags 0x0 scopeid 0x5
npflog0: flags=0x1<UP>


npf.conf (with a few pass stateful in's removed)

external = "pppoe0"
$external_v4 = inet4(pppoe0)
$external_v6 = inet6(pppoe0)
$internal = "wm0"
alg "icmp"

procedure "log" {
    log: npflog0
}


######################################################
# Service groups
#
$out_leaks = { 135, 137, 138, 139, 445 }
$localnet_v4 = { 192.168.1.0/24 }
$localnet_v6 = { 2001:8b0:84:1::/64 }


######################################################
# Nat rules
#

# Bidirectional maps for hosts visible externally
map $external dynamic 192.168.1.1 <-> 81.187.216.82
map $external dynamic 192.168.1.2 <-> 81.187.216.83
map $external dynamic 192.168.1.5 <-> 81.187.216.84

# Map for outgoing connections for the rest of the internal network
map $external dynamic $localnet_v4 -> $external_v4

######################################################
# External interface
#
group "external" on $external {
    ruleset "blacklistd"
    block in all apply "log" # catch all. If nothing else matches

    # Outgoing block to stop dataleakage from windows protocols
    block out final to any port $out_leaks
    # Outgoing traffic we want to be stateful
#    pass stateful out final all
    pass stateful out final proto tcp all
    pass stateful out final proto udp all
    pass stateful out final proto icmp all
    pass stateful out final proto ipv6-icmp all

    pass in final proto ipv6-icmp all
    # Ping
    pass stateful in final family inet4 proto icmp icmp-type echo to any
    # XXX NPF bug. It makes type8 ping but its type 128 for v6
    # SSH any host
    pass stateful in final proto tcp to any port 22


    # Incoming blocks
    block return-rst in final proto tcp flags S/SFRA to any apply "log"
    block return-icmp in final proto udp to any apply "log"
}

######################################################
# Internal interface
#
group "internal" on $internal {
    pass final all
}

group default {
    pass final on lo0 all
    pass final on wm2 all
    block all apply "log"
}

Mike

Prev by Date: Re: panic: kernel diagnostic assertion "mii != NULL" failed
Next by Date: Proposal to remove HIPPI support
Previous by Thread: panic: kernel diagnostic assertion "mii != NULL" failed
Next by Thread: Proposal to remove HIPPI support
Indexes:

Home | Main Index | Thread Index | Old Index