tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

npf validate error and other npf questions (migrating from ipf)



I decided to dig into replacing my ipnat/ipf ruleset with npf for my
home router/firewall/nameserver/webserver so I can migrate from
NetBSD 8 --> NetBSD 9 with less pain/fear...
Started with soho_gw-npf.conf from /usr/share/examples/npf/

amd64 NetBSD 8_stable (quad xeon, plenty of ram, raidframe root)

# npfctl validate
/etc/npf.conf:31:0: port range is not valid

npf.conf snippet that fails:
map $ext_if dynamic $localnet0 -> $ext_v4 port 2048-41200

How should I accomplish this? Yes I know there are more exposed options
in NetBSD 9 npf-params(7)...but hoping to test my npf configuration
before I migrate?

On another topic, is this too restrictive on my local interface? :

group "internal" on $int_if {
        block in all
        pass in final from $loacalnet0
        pass out final all to $localnet0
}
where:
$localnet0 = { 192.168.1.0/24 }
$int_if = "bge0"
My reasoning is that everything coming into my local lan from the
server should be going to my local network only and everything going
into the server from my lan should be only from my local network
address space... am I thinking about this correctly?













Home | Main Index | Thread Index | Old Index