Help npf, only one port opened, but several expected.

To: netbsd-users <netbsd-users%netbsd.org@localhost>
Subject: Help npf, only one port opened, but several expected.
From: Luis Mendes <luisvmendes%yandex.com@localhost>
Date: Mon, 22 Sep 2025 00:15:35 +0100

Hi,

## Issue nr 1
I was expecting to have several ports open in my SOHO router/firewall, but a scan from an outside host showed only port 11110 to be opened:

$ sudo masscan -p1-65535,U1:65535 9.8.7.6 --rate=1000 -e eth0
Starting masscan 1.3.9-integration at 2025-09-21 22:38:41 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 11110/tcp on 9.8.7.6


## Issue nr 2

I need to open ports 500 and 4500 on udp, and also proto 50 to a corporate laptop do connect to Forticlient vpn server.
In OpenBSD's pf, that was accomplished with these rules:
pass in on re0 inet proto udp from any port = 500 to 192.168.1.12
pass in on re0 inet proto udp from any port = 4500 to 192.168.1.12
pass in on re0 inet proto esp from any to 192.168.1.12

Are the below rules id=4,5 similar?


## Issue nr 3
If you have suggestions to improve the rules, I'm all ears.


## the npf rules:


# npfctl show
# filtering:	active
# config:	loaded

table <int-block> type lpm

procedure "log"

map re0 dynamic any -> ifaddrs(re0) pass family inet4 from 192.168.1.0/24 # id="1" 

group "external" on re0 { # id="1" 
	block in all apply "log" # id="2" 
	pass stateful out final all # id="3" 
	pass in final family inet4 proto udp from any port { 500, 4500 } to 192.168.1.12 port { 500, 4500 } # id="4" 
	pass in final family inet4 proto 50 to 192.168.1.12 # id="5" 
	pass stateful in final family inet4 proto tcp flags S/FSRA to ifaddrs(re0) port 11110 # id="6" 
	pass stateful in final proto tcp flags S/FSRA to ifaddrs(re0) port { 80, 443, 25, 53 } # id="7" 
	pass stateful in final proto udp to ifaddrs(re0) port { 53, 123 } # id="8" 
	pass stateful in final proto { tcp, udp } flags S/FSRA to ifaddrs(re0) port 11111 # id="9" 
	pass in final proto tcp to any port 21 # id="a" 
	pass in final proto tcp to any port 20 # id="b" 
}

group "internal" on wm0 { # id="c" 
	pass in final family inet4 from 192.168.1.0/24 # id="d" 
	pass out final all # id="e" 
}

group default { # id="f" 
	pass final on lo0 all # id="10" 
}


Thank you,


Luís Mendes

Follow-Ups:
- Re: Help npf, only one port opened, but several expected.
  - From: Michael van Elst

Prev by Date: Re: /dev/ulpt0 printing [solved]
Next by Date: Re: /dev/ulpt0 printing [solved]
Previous by Thread: /dev/ulpt0 printing
Next by Thread: Re: Help npf, only one port opened, but several expected.
Indexes:

Home | Main Index | Thread Index | Old Index