npf questions/experience migrating from ipf on NetBSD8

To: tech-net%netbsd.org@localhost
Subject: npf questions/experience migrating from ipf on NetBSD8
From: yancm%sdf.org@localhost
Date: Fri, 1 Jan 2021 19:04:34 -0000

> I decided to dig into replacing my ipnat/ipf ruleset with npf for my
> home router/firewall/nameserver/webserver so I can migrate from
> NetBSD 8 --> NetBSD 9 with less pain/fear...
> Started with soho_gw-npf.conf from /usr/share/examples/npf/
>
> amd64 NetBSD 8_stable (quad xeon, plenty of ram, raidframe root)

So far,

suspect that the validate error is known since there are now parameters
(npf-param) that can be tweaked in NetBSD 9 for portmapping ranges...

received thoughtful advice on filtering rules, so will start out less
restrictive just to get an operable setup...

Thing not well documented about npf I think I have learned?
In addition to the man pages and npf documentation at:
http://rmind.github.io/npf/extensions.html
I found this link which gave a couple of clues
https://pub.nethence.com/bsd/npf
but not all...
Is there someplace else I should be looking?

1) In NetBSD 8 (probably 9?), need to modify the GENERIC
   kernel to include(uncomment):
     pseudo-device   npf             # NPF packet filter
     pseudo-device   bpfilter        # Berkeley packet filter
   Should this be listed somewhere?
   Probably in "The Guide" update for npf?
2) Looks like we aught to be clear what sysctl variables need
   set to what...
   For my ipf setup, already had:
     net.inet.ip.forwarding=1
   Do I also need:
     kern.securelevel=0  ?
3) At a minimum will want to add in rc.conf or rc.local:
   npf=YES (disable the ipf stuff with NO for testing)
   anything else in here? npfd or some logging daemon?
4) What do I need to do to enable logging in npf? I can see the
   directives in the example config file, but no logs
   seem to be written?
   Would like a log like I get with ipf with action/rule/addresses in
human readable form.

After recompiling an GENERIC NetBSD8_Stable kernal with npf pseudo-device,
I could ping the internet from the console, but not from machines attached
to my lan...
Here are some diagnostics...

# npfctl show
# filtering:    active
# config:       loaded

procedure "log"

map wm0 dynamic any -> 10.1.10.10 pass family inet4 from 192.168.1.0/24 #
id="1"

group "external" on wm0 # id="1"
        pass stateful out final flags S/FSRA # id="2"
        pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 9030, port 9001 } # id="3"
        pass out final family inet4 proto tcp from 10.1.10.10 { port 9030,
port 9001 } # id="4"
        pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 22, port 115 } apply "log" # id="5"
        pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 80, port 443, port 25, port 53 } # id="6"
        pass stateful in final family inet4 proto udp to 10.1.10.10 { port
53, port 123 } # id="7"
        pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 port 49151:65535 # id="8"
        pass stateful in final family inet4 proto udp to 10.1.10.10 port
33434:33600 # id="9"

group "internal" on bge0 # id="a"
        pass stateful in final family inet4 flags S/FSRA from
192.168.1.0/24 # id="b"
        pass out final family inet4 to 192.168.1.0/24 # id="c"
        pass out all apply "log" # id="d"
        pass stateful in flags S/FSRA apply "log" # id="e"

group # id="f"
        pass final on lo0 all # id="10"
        block all # id="11"

# npfctl stats
Packets passed:
        0 default pass
        14654 ruleset pass
        13798 state pass
Packets blocked:
        0 default block
        585 ruleset block
State and NAT entries:
        17482 state allocations
        17234 state destructions
        0 NAT entry allocations
        0 NAT entry destructions
Network buffers:
        0 non-contiguous cases
        0 contig alloc failures
Invalid packet state cases:
        0 cases in total
        0 TCP case I
        0 TCP case II
        0 TCP case III
Packet race cases:
        0 NAT association race
        14166 duplicate state race
Fragmentation:
        0 fragments
        0 reassembled
        0 failed reassembly
Other:
        0 unexpected errors
# npfctl list
                             From address:port                            
    To address:port
                             192.168.1.63:59296                           
89.187.183.151:51820
                             192.168.1.34:21754                           
 192.155.71.16:1121
                               10.1.10.10:65533                           
    198.41.0.4:53
                               10.1.10.10:65534                           
    198.41.0.4:53
                              192.168.1.2:49902                           
   172.217.0.3:443
                              192.168.1.2:49901                           
   172.217.0.3:443
                              192.168.1.2:49904                           
  172.217.4.46:443
 [many more entries in the list]
It looks like connections are being established, just not connected and
routed to my lan somehow...?

I tried to ping from a Win10 console and the response was that
google.com/anything else was unreachable...
And yes, my internal interface was reachable (192.168.1.1)...

Comments/pointers welcome...

Follow-Ups:
- Re: npf questions/experience migrating from ipf on NetBSD8
  - From: yancm

References:
- npf validate error and other npf questions (migrating from ipf)
  - From: yancm

Prev by Date: Re: npf validate error and other npf questions (migrating from ipf)
Next by Date: Re: npf questions/experience migrating from ipf on NetBSD8
Previous by Thread: Re: npf validate error and other npf questions (migrating from ipf)
Next by Thread: Re: npf questions/experience migrating from ipf on NetBSD8
Indexes:

Home | Main Index | Thread Index | Old Index