Hello,
I have a minimal npf installation on a host which works fine, but now
I want to move my router to netbsd-7 with npf. After some trial and
error I realize I need some assistance.
The basic layout is:
- re0 is the external connection to the ISP. The IP is assigned
using dhcpcd.
- wm0; 192.168.72.0/24 network
- wm1; 192.168.92.0/24 network
- wm2; 192.168.124.0/24 network
What I want to accomplish is to allow incoming ssh on re0, but that's
the only allowed incoming connection. All the systems on the wm0, wm1
and wm2 networks should be able to make NAT'ed external connections
through re0.
The configuration I have allows the wm{0,1,2} systems to access the
router (nslookup, ping, ssh), but can not make external connections.
---
$ext_if = "re0"
$ext_v4 = inet4(re0)
$int_if = "wm0"
$media_if = "wm1"
$wifi_if = "wm2"
$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
map $ext_if dynamic 192.168.72.0/24 -> $ext_v4
map $ext_if dynamic 192.168.92.0/24 -> $ext_v4
map $ext_if dynamic 192.168.124.0/24 -> $ext_v4
procedure "log" {
log: npflog0
}
group "external" on $ext_if {
#ruleset "blacklistd"
# Allow DHCP requests (even to reserved addresses).
pass out final proto udp from any port bootpc to any port bootps
pass in final proto udp from any port bootps to any port bootpc
pass in final proto udp from any port bootps to 255.255.255.255 port
bootpc
# Allow DNS queries
pass stateful out final proto udp to any port domain
# Block IANA-reserved addresses from entering or exiting
block in final from $private_addr apply "log"
block out final to $private_addr apply "log"
pass stateful out final proto tcp all
pass stateful out final proto udp all
pass stateful out final proto icmp all
# Prevent IP spoofing attacks on the firewall
block in final from 127.0.0.1 apply "log"
# Services
pass in final proto tcp to any port ssh apply "log"
# Only allow selected ICMP types
pass in final proto icmp icmp-type echo all apply "log"
pass in final proto icmp icmp-type timxceed all
pass in final proto icmp icmp-type unreach all
pass in final proto icmp icmp-type echoreply all
pass in final proto icmp icmp-type sourcequench all
pass in final proto icmp icmp-type paramprob all
pass in final proto ipv6-icmp all
}
group "internal" on $int_if {
# Pass everything to internal networks,
pass final all apply "log"
}
group "media" on $media_if {
# Pass everything to media networks,
pass final all apply "log"
}
group "wifi" on $wifi_if {
# Pass everything to wifi networks,
pass final all apply "log"
}
group default {
# Loopback interface should allows packets to traverse it.
pass final on lo0 all
# Block everything by default.
block final all apply "log"
}
---
In addition to not being able to make outbound connections from the
systems on the wm* interfaces, the router can not be ping:ed from
Internet (using a laptop+mobile) (No logs are generated on npflog0 when
I try to ping the router).
... help?
--
Kind regards,
Jan Danielsson
