Re: NPF and PF

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Wed, Dec 16, 2020 at 05:45:36PM +0000, Robert Swindells wrote:
> 
> Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> >On Wed, Dec 16, 2020 at 04:07:54PM +0100, Hauke Fath wrote:
> >> [...]
> >> IMHO, the NetBSD packet filter supports SOHO installations at best; 
> >> anything else is misleading.
> >
> >Even at home, I stay with ipf for multihomed routers.
> >npf just lacks the features I use (as I already explained several times).
> 
> Prompted by today's thread I looked back at recent firewall discussions.
> 
> I don't see enough of a description of what you want to do to be able
> to work on fixing your problem.

My first mail on this topic was 26 Oct 2012 on tech-net@
I then did send a more complete example 21 Aug 2018, as a followup to a
mail from you on developers@ (you were in Cc).
I dind't get any follow up.

Here is what was in my 2018 mail (note that my example from 2012 was a
multihomed host, not a Xen dom0, but both use ruleset groups to
filter first on source, then on destination).
One thing I didn't mention in my previous emails is that, for the Xen
example, npf should accept to load rules with nonexistent interfaces
(the interfaces are created later).
Another thing not mentionned here is that in some corner cases I had
to use nested groups

Basically my ipf.conf looks like below. The kernel is configured with
BRIDGE_IPF on Xen dom0. This is a simple example. On real-life hosts
I have 51 vlans and more than 10 guests.
Note that I use interface names that are not present (or not always present)
in the system when the ipf.conf is first read. The Xen scripts patches it,
and do a /etc/rc.d/ipfilter reload

#the name below is patched with xvifXiY by Xen scripts
guest1i0=none1i0
guest1i1=none1i1

# block everything by default
block in log all

# 127.0.0.0/8 only on lo0
block in log level err quick from 127.0.0.0/8 to any head 10
pass in on lo0 from any to any group 10

block in log quick from any to 127.0.0.0/8 head 20
pass in quick on lo0 from any to any group 20

# check that a source IP comes in on the right interface
block in log quick from 10.0.0.0/24 to any head 100
pass in on vlan0 from any to any group 100
pass in on $guest1i0 from 10.0.0.10 to any group 100

block in log quick from 10.0.1.0/24 to any head 101
pass in on vlan1 from any to any group 101
pass in on $guest1i1 from 10.0.1.10 to any group 101

# there may be more checks on source, like public IP coming in only on
# the public interface

# now we're sure the source is on the correct interface. Check destination
# I have a single group below, but on real use cases, there will be one by
# host class/role
block in log quick from 10.0.0.1 to any head 1000
block in log quick from 10.0.1.1 to any head 1000
block in log quick from 10.0.0.10 to any head 1000
block in log quick from 10.0.1.10 to any head 1000
pass in log quick proto tcp from myworkstartion to any port = 22 flags S/SA group 1000
pass in log quick proto tcp from myworkstartion to any port = 443 flags S/SA group 1000
pass in log quick proto tcp from 10.0.0.0/16 to any port = 25 flags S/SA group 1000
block return-rst in log quick proto tcp from any to any group 1000
pass in quick proto icmp from any to any group 1000

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--