NPF on domU - more clarity required

To: netbsd-users%netbsd.org@localhost
Subject: NPF on domU - more clarity required
From: Gerard Lally <lists+netbsd.users%netmail.ie@localhost>
Date: Fri, 26 Dec 2014 02:04:52 GMT

I have been struggling to get NPF up and running on a NetBSD VPS,
specifically a Xen domU. I really think for security reasons NPF should
be nearly ready to go, so that we don't have to spend hours researching
and pulling our hair out trying to fix what should be a straightforward
issue, which leaves a machine vulnerable when it probably needs
protection most. It appears this problem came up some years ago, but
Googling provides me with no fix.

I understand that NetBSD as a Xen domU does not support kernel modules.
So the recommendation in the NPF documentation to "modload" npf_ext_log
does not apply here. Fine, I took a wild guess and compiled a new Xen
domU kernel with the following two lines added to make sure NPF logging
and normalisation functionality was compiled into the kernel instead:

options NPF_EXT_LOG
options NPF_EXT_NORMALISE

Needless to say I also made sure pseudo-device npf was enabled as well.

I also made sure /dev/npf existed, and I created /etc/ifconfig.npflog0
with just the word "create".

I kept the contents of npf.conf to a minimum for troubleshooting, but
NPF just refuses to load. This is the error I get at boot:

npfctl: cannot open '/dev/npf': Device not configured
npfctl: cannot open '/dev/npf': Device not configured
/etc/rc.d/npf exited with code 1

I have /usr on a separate partition which might cause this error at boot
but should not cause the error when I do
/etc/rc.d/npf reload ; /etc/rc.d/npf start
after the system is up and running.

Here are the contents of npf.conf:

===================================================================
# /etc/npf.conf

$wired_v4 = { inet4(xennet0) }

procedure "log" {
log: npflog0
}

group "wired" on $wired_v4 {
# disable 80 until we are sure this is running properly
# pass in final family inet4 proto tcp to $wired_v4 port 80
pass in final family inet4 proto tcp to $wired_v4 port 22022
pass stateful out final family inet4 proto tcp flags S/SA \
     from $wired_v4
pass out final family inet4 proto tcp from $wired_v4
pass stateful out final family inet4 from $wired_v4
}

group default {
pass final on lo0 all
block all apply "log"
}

===================================================================

I have faced this issue on several occasions now and it is most
frustrating. I would like to be able to have a basic firewall up and
running within five minutes of setting up a machine. I'd been looking
forward to trying NPF but it feels as though I'm in the seven circles
of Hell trying to get it to run.

-- 
Gerard Lally

Follow-Ups:
- Re: NPF on domU - more clarity required
  - From: Christos Zoulas

Prev by Date: Re: Static IP configuration
Next by Date: Re: Static IP configuration
Previous by Thread: Windows active derectory adding in Spanstor NAS
Next by Thread: Re: NPF on domU - more clarity required
Indexes:

Home | Main Index | Thread Index | Old Index