Packet Filtering

Discussion:

Packet Filtering

(too old to reply)

Robert Swindells

2012-10-28 15:15:00 UTC

What is the recommended way of doing packet filtering in
NetBSD-current ?

I have tried IPF, PF and NPF, and can't get any of them to work
properly.

I just want to run NAT on IPv4 and to block everything except a small
list of ports from outside on both IPv4 and IPv6, I can't believe this
is all that unusual.

I have native IPv6, so both protocols are using the same external
interface if that makes a difference.

IPF seemed to work ok until the update to 5.1.1. After this I was
unable to get IPv6 to work while still blocking most IPv4 ports.

PF allows traffic from outside to connect to sshd, even though I have
not opened up that port. It also randomly hangs up connections and
generates "in_cksum: out of data" errors on the firewall machine,
Google seems to cause this the most often.

NPF generates a core dump if I run "npfctl show" and locks up
completely afterwards.

Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

matthew sporleder

2012-10-28 16:19:59 UTC

Permalink

Post by Robert Swindells
What is the recommended way of doing packet filtering in
NetBSD-current ?
I have tried IPF, PF and NPF, and can't get any of them to work
properly.
I just want to run NAT on IPv4 and to block everything except a small
list of ports from outside on both IPv4 and IPv6, I can't believe this
is all that unusual.
I have native IPv6, so both protocols are using the same external
interface if that makes a difference.
IPF seemed to work ok until the update to 5.1.1. After this I was
unable to get IPv6 to work while still blocking most IPv4 ports.
PF allows traffic from outside to connect to sshd, even though I have
not opened up that port. It also randomly hangs up connections and
generates "in_cksum: out of data" errors on the firewall machine,
Google seems to cause this the most often.
NPF generates a core dump if I run "npfctl show" and locks up
completely afterwards.
Robert Swindells

It might be helpful to see some of your rules and help fix your ipf or
pf issues.

I believe npf should still be considered experimental.

Matt

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

r***@fdy2.co.uk

2012-10-28 18:15:43 UTC

Permalink

Post by matthew sporleder

It might be helpful to see some of your rules and help fix your ipf or
pf issues.

I have copied them to my home directory on homeworld.

Post by matthew sporleder
I believe npf should still be considered experimental.

Sure, I was just getting fed up with the unreliability of pf and thought
I would give it a try.

Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

John Nemeth

2012-10-28 17:26:11 UTC

Permalink

On Feb 13, 3:22am, Robert Swindells wrote:
}
} What is the recommended way of doing packet filtering in
} NetBSD-current ?

-current as of what date, and what version? And, are both
userland and the kernel from the same date?

} I have tried IPF, PF and NPF, and can't get any of them to work
} properly.

PF seems to be essentially unmaintained and is getting a little
long in the tooth. IPF recently had a major update. NPF is, of
course, new.

} I just want to run NAT on IPv4 and to block everything except a small
} list of ports from outside on both IPv4 and IPv6, I can't believe this
} is all that unusual.

I would expect either IPF or NPF to work well for this. However,
depending on exactly what the date of your kernel is, you may have
caught one or both of them when they were in a state of flux. PF
should certainly be able to handle IPv4, but I don't know if it handles
IPv6. However, given that it is essentially unmaintained, I don't
think I would depend on it.

} I have native IPv6, so both protocols are using the same external
} interface if that makes a difference.

It shouldn't.

} PF allows traffic from outside to connect to sshd, even though I have
} not opened up that port. It also randomly hangs up connections and
} generates "in_cksum: out of data" errors on the firewall machine,
} Google seems to cause this the most often.

Sounds like you shouldn't be using PF then.

} NPF generates a core dump if I run "npfctl show" and locks up
} completely afterwards.

I remember seeing a bug report about this. You might just need to
update your system to get it fixed.

}-- End of excerpt from Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Swindells

2012-10-28 22:20:38 UTC

Permalink

Post by John Nemeth
}
} What is the recommended way of doing packet filtering in
} NetBSD-current ?
-current as of what date, and what version? And, are both
userland and the kernel from the same date?

I am running -current as of this afternoon now, kernel and userland
match. I was running a version from the same time yesterday when
I wrote the first email.

Post by John Nemeth
} I have tried IPF, PF and NPF, and can't get any of them to work
} properly.
PF seems to be essentially unmaintained and is getting a little
long in the tooth. IPF recently had a major update. NPF is, of
course, new.

I know, I was asking for suggestions on what was working for other
people.

Post by John Nemeth
} I just want to run NAT on IPv4 and to block everything except a small
} list of ports from outside on both IPv4 and IPv6, I can't believe this
} is all that unusual.
I would expect either IPF or NPF to work well for this. However,
depending on exactly what the date of your kernel is, you may have
caught one or both of them when they were in a state of flux. PF
should certainly be able to handle IPv4, but I don't know if it handles
IPv6. However, given that it is essentially unmaintained, I don't
think I would depend on it.

There does seem to be PF support for IPv6, we are using this on project
machines so I would hope that it worked correctly.

Post by John Nemeth
} I have native IPv6, so both protocols are using the same external
} interface if that makes a difference.
It shouldn't.
} PF allows traffic from outside to connect to sshd, even though I have
} not opened up that port. It also randomly hangs up connections and
} generates "in_cksum: out of data" errors on the firewall machine,
} Google seems to cause this the most often.
Sounds like you shouldn't be using PF then.

I have switched back to IPF.

It would still be nice to be able to prevent access to ports from outside.

Post by John Nemeth
} NPF generates a core dump if I run "npfctl show" and locks up
} completely afterwards.
I remember seeing a bug report about this. You might just need to
update your system to get it fixed.

The core dump problem has been fixed by rmind today.

I guess part of my point was that we have just released NetBSD-6.0,
are people who install it or upgrade to it from NetBSD-5 going to have
similar problems to me ?

IPF seems reliable but the syntax of the configuration file is, to me,
a lot harder to use than those of PF and NPF. The examples for IPF
have also not been updated for 5.1.1.

Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

John Nemeth

2012-10-28 23:27:28 UTC

Permalink

On Feb 13, 10:28am, Robert Swindells wrote:
} John Nemeth wrote:
} >On Feb 13, 3:22am, Robert Swindells wrote:
} >}
} >} What is the recommended way of doing packet filtering in
} >} NetBSD-current ?
} >
} > -current as of what date, and what version? And, are both
} >userland and the kernel from the same date?
}
} I am running -current as of this afternoon now, kernel and userland
} match. I was running a version from the same time yesterday when
} I wrote the first email.

Okay. That was kind of an important detail that was left out.

} >} I have tried IPF, PF and NPF, and can't get any of them to work
} >} properly.
} >
} > PF seems to be essentially unmaintained and is getting a little
} >long in the tooth. IPF recently had a major update. NPF is, of
} >course, new.
}
} I know, I was asking for suggestions on what was working for other
} people.

I have been using IPF and will probably stick to it for now. Just
how well that works out is something I intend to find out in the not
too distant future.

} I have switched back to IPF.
}
} It would still be nice to be able to prevent access to ports from outside.

Any of the packet filters should be able to do this quite easily.

} >} NPF generates a core dump if I run "npfctl show" and locks up
} >} completely afterwards.
} >
} > I remember seeing a bug report about this. You might just need to
} >update your system to get it fixed.
}
} The core dump problem has been fixed by rmind today.
}
} I guess part of my point was that we have just released NetBSD-6.0,
} are people who install it or upgrade to it from NetBSD-5 going to have
} similar problems to me ?

-current is not the same as 6.0. There have been changes to both
in -current that aren't in 6.0. Hopefully what is in 6.0 is stable and
works.

} IPF seems reliable but the syntax of the configuration file is, to me,
} a lot harder to use than those of PF and NPF. The examples for IPF
} have also not been updated for 5.1.1.

I don't think there were any changes in IPF for 5.1.1. Due to
problems with the author's employer, IPF didn't change for quite some
time. Now that the author no longer has the same employer there has
been a flurry of activity. IPF has had a major update for 6.0. I
don't know if those will get pulled up to netbsd-5 or not.

}-- End of excerpt from Robert Swindells

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Darren Reed

2012-10-28 23:55:01 UTC

Permalink

Robert,

On Sun, Oct 28, 2012, at 04:15 PM, Robert Swindells wrote:
...

Post by Robert Swindells
I just want to run NAT on IPv4 and to block everything except a small
list of ports from outside on both IPv4 and IPv6, I can't believe this
is all that unusual.

Anything involving IPv6 is pretty much "unusual" at this point in time.
People are getting excited when they see that the percentage of IPv6
users is in the single digit percentage range.

Post by Robert Swindells
IPF seemed to work ok until the update to 5.1.1. After this I was
unable to get IPv6 to work while still blocking most IPv4 ports.

The update of IPFilter to 5.1.1 has meant that the same
configuration file is used for both IPv6 and IPv4. Some
rules will apply to both IPv6 and IPv4 packets where before
they only applied to IPv4 or IPv6. Whilst it is easy to mark
all of the rules from ipf6.conf as being IPv6 only, it is
substantially harder to decide that rules which are amibiguous
about which IP protocol family they pertain to for rules that
are from ipf.conf. IPv6 rules from ipf6.conf are loaded with
the "-6" switch on ipf(8)'s CLI but for IPv4 or combined IPv4
and IPv6 rules in ipf.conf, there is no CLI option.

Additionally, I need to check for documentation of ipf6.conf
in current and mention that this file is historical in nature
and should no longer be used.

If you currently have both ipf.conf and ipf6.conf, merge them
into one file - ipf.conf. This should help you rationalise what
your rules actually are. For example, I suspect that your "block
any" rule for ipf.conf is now impacting IPv6 whereas before it
had no impact on IPv6 packets.

The parsing of ipf.conf will attempt to determine what protocol
family a rule should be in based on the format of the IP address
in the rule but in some cases, it is necessary to formally state
whether it is an IPv4 or IPv6 rule. Examples of that are when
writing a rule to match ICMP ECHO packets because the type code
for IPv4 and IPv6 is different.

If you've got more questions, keep asking...

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Mouse

2012-10-29 00:09:12 UTC

Permalink

Post by Darren Reed
Anything involving IPv6 is pretty much "unusual" at this point in
time. People are getting excited when they see that the percentage
of IPv6 users is in the single digit percentage range.

This is at least somewhat location-specific.

I spent the second half of 2002 working for Universitetet i Tromsø, in
Norway, and the University folks had a city-wide radio network set up -
using v6. The house netlink they set me up with was v6-only.

But, back in North America and a decade later, I'm seeing pretty much
what Darren describes. Most computer people at least have a vague clue
what v6 is, but-- well, for example, I recently signed up with a small
ISP. I had to nudge them repeatedly and play guinea-pig to get them to
deliver v6 at all. And one of my employers is a VoI provider; I don't
think they've even _thought_ about using v6 for VoI.

/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML ***@rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Darren Reed

2012-10-29 04:23:16 UTC

Permalink

Post by Mouse

This is at least somewhat location-specific.
I spent the second half of 2002 working for Universitetet i Tromsø, in
Norway, and the University folks had a city-wide radio network set up -
using v6. The house netlink they set me up with was v6-only.
But, back in North America and a decade later, I'm seeing pretty much
what Darren describes. Most computer people at least have a vague clue
what v6 is, but-- well, for example, I recently signed up with a small
ISP. I had to nudge them repeatedly and play guinea-pig to get them to
deliver v6 at all. And one of my employers is a VoI provider; I don't
think they've even _thought_ about using v6 for VoI.

I can think of two exceptions to this.

One is the assigning of IP addresses to cable modems for TV, etc, in
various countries because it is just getting too hard to allocate IPv4
networks and addresses in a manner that allows connecting all of the
houses in the country.

The other is mobile phones.

Darren

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

David Laight

2012-10-29 08:08:37 UTC

Permalink

Post by Mouse
And one of my employers is a VoI provider; I don't
think they've even _thought_ about using v6 for VoI.

'Work' has some ongoing projects to add IPv6 support to some of our
VoIP products, but it is non-trivial and there is little commercial
pressure to complete it quickly.

Not the least of the issues is that it is much more difficult to write
a small trivial IPv6 implementation to run on an embedded system.
(The IPv4 implementation on the DSPs doing voice only needed to support
UDP, the hardware modifies the MAC address on inbound packets based
on the port numbers - everything else goes to a ppc using the same IP
address. The same tricks can't be used for IPv6.)

David

--
David Laight: ***@l8s.co.uk

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de