Re: npf config

To: netbsd-users <netbsd-users%netbsd.org@localhost>
Subject: Re: npf config
From: Nils Ratusznik <nils.netbsd%anotherhomepage.org@localhost>
Date: Tue, 27 Dec 2016 10:39:03 +0100 (CET)


----- Le 23 Déc 16, à 5:55, George Georgalis george%galis.org@localhost a écrit :

> Hi -
> 
> Maybe I've been looking at this too long...
> can someone tell me why this npf.conf
> is not providing gw service to 10.0.0.0/24
> via 10.0.0.1, the wm0 interface? The npf
> host has fully functional gw via a wm1
> interface on the 10.0.1.0/24 network.
> 
> # npfctl show
> 
> # filtering:    active
> # config:       loaded
> 
> procedure "log"
> map wm1 dynamic any -> 10.0.1.1 pass family inet4 from 10.0.0.0/24
> group "external" on wm1
>        pass stateful out final family inet4 from 10.0.0.0/24
>        pass stateful out final all
>        pass stateful in final family inet4 proto tcp flags S/FSRA to
> 10.0.1.1 port 22
> group "internal" on wm0
>        block return-icmp in all
>        pass in final family inet4 from 10.0.0.0/24
>        pass out final all
> group
>        pass final on lo0 all
>        pass final on wm0 all
>        block return-icmp all
> 
> # ifconfig -a |grep -E '(^wm|inet )' | grep -v 127.0
> 
> wm0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
> wm1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
> 
> # netstat -finet -anr | grep -E '(link|default)'
> 
> default            10.0.1.1           UGS         -        -      -  wm1
> 10.0.1/24          link#2             UC          -        -      -  wm1
> 10.0.0/24          link#1             UC          -        -      -  wm0
> 
> Hosts on the 10.0.0.0/24 network configured to use the npf
> host as gw can reach the npf "external" 10.0.1.1 wm0 interface,
> but nothing else on 10.0.1.0/24 or beyond. What's missing?

Hi George,

Is IP forwarding enabled ? You can check this with this command :
$ sysctl net.inet.ip.forwarding

A value of 0 means it's disabled, a value of 1 means it's enabled.

You can enable it quickly with the following command :
# sysctl -w net.inet.ip.forwarding=1

If you want this setting to be permanent, add the following line to /etc/sysctl.conf :
net.inet.ip.forwarding=1

You can find more informations on sysctl and sysctl.conf here : 
http://netbsd.gw.com/cgi-bin/man-cgi?sysctl
http://netbsd.gw.com/cgi-bin/man-cgi?sysctl.conf

Hope it helps,

-- 
Nils Ratusznik
https://linuxfr.org
http://blog.anotherhomepage.org

Follow-Ups:
- Re: npf config
  - From: George Georgalis

References:
- npf config
  - From: George Georgalis

Prev by Date: Re: DHCPv6
Next by Date: Re: mysql ssl error
Previous by Thread: npf config
Next by Thread: Re: npf config
Indexes:

Home | Main Index | Thread Index | Old Index