Re: npf syntax: port ranges, negation of a condition, and map rules
On ott 29 10:16, Michael van Elst wrote: > The "port forwarding case" only handles single ports. You need > separate map commands for each port. After several errors, I was wondering in fact if this was the reason. Thanks for clarifying this! Rocky
Re: npf syntax: port ranges, negation of a condition, and map rules
rockyho...@firemail.cc (Rocky Hotas) writes: >In particular, for example, >map $myif dynamic proto tcp $myhost port 33434-33435 <- $myif port 55000-55001 >doesn't work: ># npfctl reload >/etc/npf.conf:41:92: port range is not valid near '55001' The "port forwarding case" only handles single ports. You need separate map commands for each port. -- -- Michael van Elst Internet: mlel...@serpens.de "A potential Snark may lurk in every tree."
Re: npf syntax: port ranges, negation of a condition, and map rules
On ott 28 12:22, Martin Husemann wrote: > There is an example in /usr/share/examples/npf/host-npf.conf: > > # Allow being tracerouted > pass in proto udp to any port 33434-33600 This is a single use (but thanks! I forgot this example file). My case is double, because I would like to map a port range into another port range (both ranges contain the same number n of ports). > > but none of them seems to work in > > map $myif dynamic proto tcp $myhost port XXX <- $myif port XXX In particular, for example, map $myif dynamic proto tcp $myhost port 33434-33435 <- $myif port 55000-55001 doesn't work: # npfctl reload /etc/npf.conf:41:92: port range is not valid near '55001' Replacing 55000-55001 with a single port or with 33434-33435 themselves gives the same error. Rocky
Re: npf syntax: port ranges, negation of a condition, and map rules
On Wed, Oct 28, 2020 at 12:16:36PM +0100, Rocky Hotas wrote:
> 1) How to represent port ranges? I tried with
>
> beginning_port:end_port (which for example is used in OpenBSD's pf)
> beginning_port,end_port
> beginning_port-end_port
>
> $port_range = { beginning_port, end_port }
>
> but none of them seems to work in
There is an example in /usr/share/examples/npf/host-npf.conf:
# Allow being tracerouted
pass in proto udp to any port 33434-33600
Martin
Re: NPF syntax
On 3/17/15 6:34 PM, Mindaugas Rasiukevicius wrote: Hi, Mindaugas. First, let me say thank you for your excellent work on NPF! D'Arcy J.M. Cain da...@netbsd.org wrote: I have decided to give up on pf after banging my head against the wall (and the OBSD mailing list) and try npf but I can't figure out the syntax. I followed the example at http://www.netbsd.org/~rmind/npf/ but I keep getting errors when I validate. I reduced npf.conf to the following two lines: It looks like you are using the netbsd-6. The documentation is for the netbsd-7/current. NPF in netbsd-6 does not support table naming so you have to use numbers. It does not autoload ALGs, so you can skip that line and modload npf_alg_icmp manually. Is there ~rmind/npf documentation for NPF in NetBSD 6? I've run into the same problem when trying to learn NPF and finding that the documentation did not apply to what I had (netbsd-6 stable branch). I ended up using the ~rmind/npf documentation along with the man pages from netbsd-6 to figure out what parts of ~rmind/npf did not apply to netbsd-6 or had been renamed, etc. NPF in netbsd-6 is very old by now; netbsd-7 has many fixes as well as improvements and I strongly recommend to use that. I can certainly understand that, but NetBSD 7 has not been released yet. It doesn't seem reasonable to expect people to run -current or 7.0_BETA in production. Regards, Lewis
Re: NPF syntax
D'Arcy J.M. Cain wrote: On Mon, 16 Mar 2015 20:37:16 +0100 rudolf net...@eq.cz wrote: Are you using an older version of NPF? This seems like 3) in this email from two years ago: https://mail-index.netbsd.org/netbsd-users/2013/04/13/msg012733.html I am running NetBSD 6.1.5_PATCH. I guess that doesn't have the most current version. The src/sys/net/npf/npf_tableset.c is in the netbsd-6 branch in version 1.9.2.8 (2013/02/11). IIUC, you'll need at least 1.19 (2013/11/12, ``add support for table naming'') for this functionality? http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/net/npf/npf_tableset.c r.
Re: NPF syntax
D'Arcy J.M. Cain da...@netbsd.org wrote: I have decided to give up on pf after banging my head against the wall (and the OBSD mailing list) and try npf but I can't figure out the syntax. I followed the example at http://www.netbsd.org/~rmind/npf/ but I keep getting errors when I validate. I reduced npf.conf to the following two lines: It looks like you are using the netbsd-6. The documentation is for the netbsd-7/current. NPF in netbsd-6 does not support table naming so you have to use numbers. It does not autoload ALGs, so you can skip that line and modload npf_alg_icmp manually. NPF in netbsd-6 is very old by now; netbsd-7 has many fixes as well as improvements and I strongly recommend to use that. -- Mindaugas
Re: NPF syntax
On Mon, 16 Mar 2015 20:37:16 +0100 rudolf net...@eq.cz wrote: Are you using an older version of NPF? This seems like 3) in this email from two years ago: https://mail-index.netbsd.org/netbsd-users/2013/04/13/msg012733.html I am running NetBSD 6.1.5_PATCH. I guess that doesn't have the most current version. -- D'Arcy J.M. Cain da...@netbsd.org http://www.NetBSD.org/ IM:da...@vex.net
Re: NPF syntax
On Mon, Mar 16, 2015 at 6:52 AM, D'Arcy J.M. Cain da...@netbsd.org wrote: I have decided to give up on pf after banging my head against the wall (and the OBSD mailing list) and try npf but I can't figure out the syntax. I followed the example at http://www.netbsd.org/~rmind/npf/ but I keep getting errors when I validate. I reduced npf.conf to the following two lines: table friends type tree file /VEX/general/pf/friends.list table enemies type tree file /VEX/general/pf/enemies.list This gives me this error: # npfctl validate npfctl: table '0' is already defined If I remove one line I get this: # npfctl validate table 0 type tree If I put the full file and comment out the table lines I get this: # npfctl validate /etc/npf.conf:11:3: syntax error near 'alg' I am using the example config almost verbatim except for the table names and file paths. What am I missing here? No help unfortunately, Im just here to say I'm having similar issues. I've seen the npfctl error as well. I had some other problems so I decided to see if I could start by blocking all traffic. I'm trying to get a very simple rule to work: block in final from 0.0.0.0/0 And it doesn't. Obviously I'm missing something very fundamental and I haven't found it in the documentation yet. Maybe I have to use a table? Frustrating. Andy
Re: NPF syntax
D'Arcy J.M. Cain wrote: [...] table friends type tree file /VEX/general/pf/friends.list table enemies type tree file /VEX/general/pf/enemies.list This gives me this error: # npfctl validate npfctl: table '0' is already defined If I remove one line I get this: # npfctl validate table 0 type tree [...] Are you using an older version of NPF? This seems like 3) in this email from two years ago: https://mail-index.netbsd.org/netbsd-users/2013/04/13/msg012733.html The documentation under http://www.netbsd.org/~rmind/npf/ is probably for some recent version of NPF. r.
Re: NPF syntax
On Mon, 16 Mar 2015 18:26:58 GMT Gerard Lally lists+netbsd.us...@netmail.ie wrote: At date and time Mon, 16 Mar 2015 09:52:07 -0400, D'Arcy J.M. Cain wrote: # npfctl validate /etc/npf.conf:11:3: syntax error near 'alg' I am using the example config almost verbatim except for the table names and file paths. What am I missing here? I had to move the tables to /etc ; I think the reason was that the /usr filesystem was not mounted early enough at boot. Perhaps something like that is your problem as well? Is VEX a NFS mount? I had a similar issue with pf on one of my servers but not this one. In any case, it isn't a boot issue. I haven't made it live yet. I am just running validate on the generated npf.conf. By the way, when I had the issue with pf it locked me out of the server. I would hope that npf has a better failure mode and simply doesn't enable the packet filter on error. It was extremely annoying that I had to go to the colo to see why my server was down. -- D'Arcy J.M. Cain da...@netbsd.org http://www.NetBSD.org/ IM:da...@vex.net
