Re: pf -> npf

To: Jan Danielsson <jan.m.danielsson%gmail.com@localhost>
Subject: Re: pf -> npf
From: Eric Garver <e%erig.me@localhost>
Date: Mon, 24 Oct 2016 09:18:57 -0400

On Sun, Oct 23, 2016 at 07:24:42PM +0200, Jan Danielsson wrote:
> Hello,
> 
>    I have a minimal npf installation on a host which works fine, but now
> I want to move my router to netbsd-7 with npf.  After some trial and
> error I realize I need some assistance.
> 
>    The basic layout is:
>    - re0 is the external connection to the ISP.  The IP is assigned
> using dhcpcd.
>    - wm0; 192.168.72.0/24 network
>    - wm1; 192.168.92.0/24 network
>    - wm2; 192.168.124.0/24 network
> 
>    What I want to accomplish is to allow incoming ssh on re0, but that's
> the only allowed incoming connection.  All the systems on the wm0, wm1
> and wm2 networks should be able to make NAT'ed external connections
> through re0.
> 
>    The configuration I have allows the wm{0,1,2} systems to access the
> router (nslookup, ping, ssh), but can not make external connections.
> 
> ---------------------------------------
> $ext_if = "re0"
> $ext_v4 = inet4(re0)
> 
> $int_if = "wm0"
> $media_if = "wm1"
> $wifi_if = "wm2"
> 
> $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
> 
> map $ext_if dynamic 192.168.72.0/24 -> $ext_v4
> map $ext_if dynamic 192.168.92.0/24 -> $ext_v4
> map $ext_if dynamic 192.168.124.0/24 -> $ext_v4
> 
> procedure "log" {
> 	log: npflog0
> }
> 
> 
> group "external" on $ext_if {
> 	#ruleset "blacklistd"
> 
> 	# Allow DHCP requests (even to reserved addresses).
> 	pass out final proto udp from any port bootpc to any port bootps
> 	pass in final proto udp from any port bootps to any port bootpc
> 	pass in final proto udp from any port bootps to 255.255.255.255 port bootpc
> 
> 	# Allow DNS queries
> 	pass stateful out final proto udp to any port domain
> 
> 	# Block IANA-reserved addresses from entering or exiting
> 	block in final from $private_addr apply "log"
> 	block out final to $private_addr apply "log"
> 
> 	pass stateful out final proto tcp all
> 	pass stateful out final proto udp all
> 	pass stateful out final proto icmp all
> 
> 	# Prevent IP spoofing attacks on the firewall
> 	block in final from 127.0.0.1 apply "log"
> 
> 	# Services
> 	pass in final proto tcp to any port ssh apply "log"
> 
> 	# Only allow selected ICMP types
> 	pass in final proto icmp icmp-type echo all apply "log"
> 	pass in final proto icmp icmp-type timxceed all
> 	pass in final proto icmp icmp-type unreach all
> 	pass in final proto icmp icmp-type echoreply all
> 	pass in final proto icmp icmp-type sourcequench all
> 	pass in final proto icmp icmp-type paramprob all
> 	pass in final proto ipv6-icmp all
> }
> 
> group "internal" on $int_if {
> 	# Pass everything to internal networks,
> 	pass final all apply "log"
> }
> 
> group "media" on $media_if {
> 	# Pass everything to media networks,
> 	pass final all apply "log"
> }
> 
> group "wifi" on $wifi_if {
> 	# Pass everything to wifi networks,
> 	pass final all apply "log"
> }
> 
> group default {
> 	# Loopback interface should allows packets to traverse it.
> 	pass final on lo0 all
> 
> 	# Block everything by default.
> 	block final all apply "log"
> }
> ---------------------------------------
> 
>    In addition to not being able to make outbound connections from the
> systems on the wm* interfaces, the router can not be ping:ed from
> Internet (using a laptop+mobile) (No logs are generated on npflog0 when
> I try to ping the router).
> 
>    ... help?

Did you start NPF before or after you obtained your upstream IP address?
I've found I have to bounce NPF every time my uplink changes. I used
dhcpcd-run-hooks(8) to make this automatic.

References:
- pf -> npf
  - From: Jan Danielsson

Prev by Date: Re: Debugging CUPS binaries
Next by Date: Any ideas why this kernel thread is going nuts?
Previous by Thread: Re: pf -> npf
Next by Thread: Debugging CUPS binaries
Indexes:

Home | Main Index | Thread Index | Old Index