tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NPF issues
Got a couple of issues with NPF on my 8.1-STABLE firewall system:
Problem 1
RST frames generated by:
block return-icmp in final proto udp to any apply "log"
in the external group get blocked by
block all apply "log"
in the default group.
Problem 2
icmp and icmpv6 frames traverse the firewall but are dropped by the
final destination host. In particular traceroute and traceroute6
responses.
The drop reason as reported by netstat -p icmp on the final nost is
invalid checksum. An additional oddity is that I don't think icmpv6
frames were allowed in at all (ie they were ignored by alg-icmp) until I
added:
pass in final proto ipv6-icmp all
Doing the same traceroutes on the NPF host itself and the responses
arrive fine. So its something to do with how NPF is delivering them on
the internal interface.
Firewall interfaces are:
wm0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
capabilities=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
capabilities=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
enabled=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
enabled=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
ec_enabled=0
address: 00:0d:b9:4a:72:30
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.1.9/24 broadcast 192.168.1.255 flags 0x0
inet6 fe80::20d:b9ff:fe4a:7230%wm0/64 flags 0x0 scopeid 0x1
inet6 2001:8b0:84:1::1/64 flags 0x0
wm2: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1508
capabilities=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
capabilities=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
capabilities=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
enabled=7ff80<TSO4,IP4CSUM_Rx,IP4CSUM_Tx,TCP4CSUM_Rx>
enabled=7ff80<TCP4CSUM_Tx,UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx>
enabled=7ff80<TCP6CSUM_Tx,UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
ec_enabled=0
address: 00:0d:b9:4a:72:32
media: Ethernet autoselect (1000baseT
full-duplex,flowcontrol,master,rxpause,txpause)
status: active
inet 192.168.2.10/24 broadcast 192.168.2.255 flags 0x0
inet6 fe80::20d:b9ff:fe4a:7232%wm2/64 flags 0x0 scopeid 0x3
pppoe0: flags=0x8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
status: active
inet 81.187.216.64/32 -> 81.187.81.187 flags 0x0
inet6 2001:8b0:84:1::1/64 -> flags 0x0
inet6 fe80::20d:b9ff:fe4a:7230%pppoe0/64 -> flags 0x0 scopeid 0x5
npflog0: flags=0x1<UP>
npf.conf (with a few pass stateful in's removed)
external = "pppoe0"
$external_v4 = inet4(pppoe0)
$external_v6 = inet6(pppoe0)
$internal = "wm0"
alg "icmp"
procedure "log" {
log: npflog0
}
######################################################
# Service groups
#
$out_leaks = { 135, 137, 138, 139, 445 }
$localnet_v4 = { 192.168.1.0/24 }
$localnet_v6 = { 2001:8b0:84:1::/64 }
######################################################
# Nat rules
#
# Bidirectional maps for hosts visible externally
map $external dynamic 192.168.1.1 <-> 81.187.216.82
map $external dynamic 192.168.1.2 <-> 81.187.216.83
map $external dynamic 192.168.1.5 <-> 81.187.216.84
# Map for outgoing connections for the rest of the internal network
map $external dynamic $localnet_v4 -> $external_v4
######################################################
# External interface
#
group "external" on $external {
ruleset "blacklistd"
block in all apply "log" # catch all. If nothing else matches
# Outgoing block to stop dataleakage from windows protocols
block out final to any port $out_leaks
# Outgoing traffic we want to be stateful
# pass stateful out final all
pass stateful out final proto tcp all
pass stateful out final proto udp all
pass stateful out final proto icmp all
pass stateful out final proto ipv6-icmp all
pass in final proto ipv6-icmp all
# Ping
pass stateful in final family inet4 proto icmp icmp-type echo to any
# XXX NPF bug. It makes type8 ping but its type 128 for v6
# SSH any host
pass stateful in final proto tcp to any port 22
# Incoming blocks
block return-rst in final proto tcp flags S/SFRA to any apply "log"
block return-icmp in final proto udp to any apply "log"
}
######################################################
# Internal interface
#
group "internal" on $internal {
pass final all
}
group default {
pass final on lo0 all
pass final on wm2 all
block all apply "log"
}
Mike
Home |
Main Index |
Thread Index |
Old Index