Hello, I have a minimal npf installation on a host which works fine, but now I want to move my router to netbsd-7 with npf. After some trial and error I realize I need some assistance.
The basic layout is: - re0 is the external connection to the ISP. The IP is assigned using dhcpcd. - wm0; 192.168.72.0/24 network - wm1; 192.168.92.0/24 network - wm2; 192.168.124.0/24 network What I want to accomplish is to allow incoming ssh on re0, but that's the only allowed incoming connection. All the systems on the wm0, wm1 and wm2 networks should be able to make NAT'ed external connections through re0. The configuration I have allows the wm{0,1,2} systems to access the router (nslookup, ping, ssh), but can not make external connections. --------------------------------------- $ext_if = "re0" $ext_v4 = inet4(re0) $int_if = "wm0" $media_if = "wm1" $wifi_if = "wm2" $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 } map $ext_if dynamic 192.168.72.0/24 -> $ext_v4 map $ext_if dynamic 192.168.92.0/24 -> $ext_v4 map $ext_if dynamic 192.168.124.0/24 -> $ext_v4 procedure "log" { log: npflog0 } group "external" on $ext_if { #ruleset "blacklistd" # Allow DHCP requests (even to reserved addresses). pass out final proto udp from any port bootpc to any port bootps pass in final proto udp from any port bootps to any port bootpc pass in final proto udp from any port bootps to 255.255.255.255 port bootpc # Allow DNS queries pass stateful out final proto udp to any port domain # Block IANA-reserved addresses from entering or exiting block in final from $private_addr apply "log" block out final to $private_addr apply "log" pass stateful out final proto tcp all pass stateful out final proto udp all pass stateful out final proto icmp all # Prevent IP spoofing attacks on the firewall block in final from 127.0.0.1 apply "log" # Services pass in final proto tcp to any port ssh apply "log" # Only allow selected ICMP types pass in final proto icmp icmp-type echo all apply "log" pass in final proto icmp icmp-type timxceed all pass in final proto icmp icmp-type unreach all pass in final proto icmp icmp-type echoreply all pass in final proto icmp icmp-type sourcequench all pass in final proto icmp icmp-type paramprob all pass in final proto ipv6-icmp all } group "internal" on $int_if { # Pass everything to internal networks, pass final all apply "log" } group "media" on $media_if { # Pass everything to media networks, pass final all apply "log" } group "wifi" on $wifi_if { # Pass everything to wifi networks, pass final all apply "log" } group default { # Loopback interface should allows packets to traverse it. pass final on lo0 all # Block everything by default. block final all apply "log" } --------------------------------------- In addition to not being able to make outbound connections from the systems on the wm* interfaces, the router can not be ping:ed from Internet (using a laptop+mobile) (No logs are generated on npflog0 when I try to ping the router). ... help? -- Kind regards, Jan Danielsson