I am converting some machines to npf from ipfilter. (ipfilter seems to
work just fine in 8, but with it being deprecated and a dim memory of
some reports of trouble, perhaps in odd cases, it seems wise to change
to npf before updating to 9.) I am thus running in a mixed 8/9
environment. I have a few questions. (Please trim if only replying to
part of this.)
* modules on NetBSD 9
It seems bpfjit is not compiled into the RPI2 kernel (NetBSD 9), and
also not into i386 GENERIC. RPI2 tends to run at a securelevel that
doesn't allow modules at runtime. npf works without bpfjit, but it
complains every time the ruleset is reloaded.
So which of these is a bug?
- that bpfjit is not compiled in
- that there isn't a way to load modules that are signed, even at
higher securelevel
- that the big scary warning is printed
- something else?
* logfile rotation
WIth npfd=YES, I am getting /var/log/npflog0.pcap. newsyslog is
rotating that, but the default newsyslog config in 8 does not have
pidfile set up. So it seems the change to add the pidfile should be
pulled up to 8.
Also, the default size of 100 seems very low; even with 7 files not much
history is retained for a machine on the internet.
* self-packets being blocked
I am trying to set up very simple rules inpired by the examples on a
machine with one interface, to basically block block all incoming except
for specifically opened ports.
group default {
block all apply "log"
pass final on lo0 all
# allow a few specific inbound things
pass stateful out all
}
Let's call the address 10.0.0.2/24.
Basically this works. However, TCP connections from the machine itself
to 10.0.0.2 to ports not specifically allowed from the internet fail.
This happens with xennet, even when there is a route for 10.0.0.2 to
lo0. But with re0 and IPv4, it seems to work.
For IPv6 link local, it seems to fail in all cases.
What I want is for packets from the host that end up at the host to not
be blocked, even if they get routed out towards an interface and
re-delivered to the stack by that interface. But I don't want to allow
packets with spoofed source and destination addresses that really did
arrive on the interface.
So my question is really: how do I make npf do what I want? Am I
missing something?
* rule matching counts
In ipfilter one can get a count of how many times rules have matched.
Is there any way to do this, sort of "npfctl show -c" where each rule
has a counter when it was the effective rule?
(I realize the rule numbers are in the logfile for logged packets.)
* fragments
The documentation says npf reassembles fragments. That makes sense,
because that way rules can be applied to the whole packet, and fragments
can't be used to bypass the filter.
One of my systems is logging IPv6 multicast mdns fragments as blocked,
even though that's allowed. It seems that with the plan of fragments
being reassembled, those should have been reassembled and then had rules
applied.
Does the fragment reassembly work for broadcast/multicast IPv6?
* multiple machine configs
I am torn between learning an entire config system, and just using m4
for some machines and having manually synced rules for machines that are
really different. npf doesn't seem to make this easy, except perhaps
with tables to have different allowed port lists. But the list of
interfaces seems harder.
Is there really no .include functionality? I am trying to have common
rules across machines, which differ mostly in IP address and network
interface (e.g. wm vs xennet).
Is there any way to specify "all non-lo0 interfaces that are up"?
Attachment:
signature.asc
Description: PGP signature