I've been using pf for a long time, and I'm trying to convert to npf.
During testing (netbsd-7 from nyftp this month, vm on VMWare Fusion), I
found something that looks like a problem but I'm not sure. I'm using a
very stripped down version of the soho example config file in
/usr/share/examples/npf:
# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#
$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = { inet4(wm0), inet6(wm0) }
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 192.168.224.0/24 }
procedure "log" {
log: npflog0
}
group "external" on $ext_if {
pass stateful out final all
block in final from 0.0.0.0/0
pass stateful in from any
}
group default {
pass final on lo0 all
block all
}
It's the line "block in final from 0.0.0.0/0" that seems to be the problem.
I get this:
virtualnetbsd# /etc/rc.d/npf restart
Disabling NPF.
Enabling NPF.
npfctl: npfctl_config_send: Input/output error
If I change 0.0.0.0/0 to 192.168.224.0/24 or $localnet or some ip or
network and restart npf it works as expected (it blocks me from trying to
ssh in from the host if the rule matches, or not if the rule doesn't match).
Why is 0.0.0.0/0 invalid?
Andy
