npf validate error and other npf questions (migrating from ipf)

Post by y***@sdf.org
group "internal" on $int_if {
block in all
pass in final from $loacalnet0
pass out final all to $localnet0
}
$localnet0 = { 192.168.1.0/24 }
$int_if = "bge0"
My reasoning is that everything coming into my local lan from the
server should be going to my local network only and everything going
into the server from my lan should be only from my local network
address space... am I thinking about this correctly?

That is going to block multicast and broadcast. Probably you don't
want to do that.

One approach is to pass out with keep state (so the replies come in) and
then to allow inbound traffic to services you want reachable on
the LAN.

If you have a (local where you can type on it to rescue it) NetBSD host,
I'd also suggest building a single-interface config first.

eg

block all apply "log"
pass final on lo0 all
pass in family inet4 proto icmp icmp-type echo all
pass in family inet4 proto igmp all
pass family inet6 proto ipv6-icmp all
pass stateful in proto tcp to any port ssh
pass stateful out all

log is really useful; you can tcpdump on the log file with -e and get
the rule number.

y***@sdf.org

2021-01-01 19:04:34 UTC

Post by y***@sdf.org
I decided to dig into replacing my ipnat/ipf ruleset with npf for my
home router/firewall/nameserver/webserver so I can migrate from
NetBSD 8 --> NetBSD 9 with less pain/fear...
Started with soho_gw-npf.conf from /usr/share/examples/npf/
amd64 NetBSD 8_stable (quad xeon, plenty of ram, raidframe root)

So far,

suspect that the validate error is known since there are now parameters
(npf-param) that can be tweaked in NetBSD 9 for portmapping ranges...

received thoughtful advice on filtering rules, so will start out less
restrictive just to get an operable setup...

Thing not well documented about npf I think I have learned?
In addition to the man pages and npf documentation at:
http://rmind.github.io/npf/extensions.html
I found this link which gave a couple of clues
https://pub.nethence.com/bsd/npf
but not all...
Is there someplace else I should be looking?

1) In NetBSD 8 (probably 9?), need to modify the GENERIC
kernel to include(uncomment):
pseudo-device npf # NPF packet filter
pseudo-device bpfilter # Berkeley packet filter
Should this be listed somewhere?
Probably in "The Guide" update for npf?
2) Looks like we aught to be clear what sysctl variables need
set to what...
For my ipf setup, already had:
net.inet.ip.forwarding=1
Do I also need:
kern.securelevel=0 ?
3) At a minimum will want to add in rc.conf or rc.local:
npf=YES (disable the ipf stuff with NO for testing)
anything else in here? npfd or some logging daemon?
4) What do I need to do to enable logging in npf? I can see the
directives in the example config file, but no logs
seem to be written?
Would like a log like I get with ipf with action/rule/addresses in
human readable form.

After recompiling an GENERIC NetBSD8_Stable kernal with npf pseudo-device,
I could ping the internet from the console, but not from machines attached
to my lan...
Here are some diagnostics...

# npfctl show
# filtering: active
# config: loaded

procedure "log"

map wm0 dynamic any -> 10.1.10.10 pass family inet4 from 192.168.1.0/24 #
id="1"

group "external" on wm0 # id="1"
pass stateful out final flags S/FSRA # id="2"
pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 9030, port 9001 } # id="3"
pass out final family inet4 proto tcp from 10.1.10.10 { port 9030,
port 9001 } # id="4"
pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 22, port 115 } apply "log" # id="5"
pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 { port 80, port 443, port 25, port 53 } # id="6"
pass stateful in final family inet4 proto udp to 10.1.10.10 { port
53, port 123 } # id="7"
pass stateful in final family inet4 proto tcp flags S/FSRA to
10.1.10.10 port 49151:65535 # id="8"
pass stateful in final family inet4 proto udp to 10.1.10.10 port
33434:33600 # id="9"

group "internal" on bge0 # id="a"
pass stateful in final family inet4 flags S/FSRA from
192.168.1.0/24 # id="b"
pass out final family inet4 to 192.168.1.0/24 # id="c"
pass out all apply "log" # id="d"
pass stateful in flags S/FSRA apply "log" # id="e"

group # id="f"
pass final on lo0 all # id="10"
block all # id="11"

# npfctl stats
Packets passed:
0 default pass
14654 ruleset pass
13798 state pass
Packets blocked:
0 default block
585 ruleset block
State and NAT entries:
17482 state allocations
17234 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
14166 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# npfctl list
From address:port
To address:port
192.168.1.63:59296
89.187.183.151:51820
192.168.1.34:21754
192.155.71.16:1121
10.1.10.10:65533
198.41.0.4:53
10.1.10.10:65534
198.41.0.4:53
192.168.1.2:49902
172.217.0.3:443
192.168.1.2:49901
172.217.0.3:443
192.168.1.2:49904
172.217.4.46:443
[many more entries in the list]
It looks like connections are being established, just not connected and
routed to my lan somehow...?

I tried to ping from a Win10 console and the response was that
google.com/anything else was unreachable...
And yes, my internal interface was reachable (192.168.1.1)...

Comments/pointers welcome...

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

y***@sdf.org

2021-01-03 16:03:04 UTC

Post by y***@sdf.org
1) In NetBSD 8 (probably 9?), need to modify the GENERIC
pseudo-device npf # NPF packet filter
pseudo-device bpfilter # Berkeley packet filter
Should this be listed somewhere?
Probably in "The Guide" update for npf?
2) Looks like we aught to be clear what sysctl variables need
set to what...
net.inet.ip.forwarding=1
kern.securelevel=0 ?
npf=YES (disable the ipf stuff with NO for testing)
anything else in here? npfd or some logging daemon?
4) What do I need to do to enable logging in npf? I can see the
directives in the example config file, but no logs
seem to be written?
Would like a log like I get with ipf with action/rule/addresses
in human readable form.

On 4, figured out logging via what's in npfd... good enough...

Q 5) assuming I can get NAT to function...
In ipf we have an rdr directive in addition to map.
The npf examples have some directives, but not quite what I want...
I would like to redirect/map any outbound request for ntp or dns
to these services on my local server.

Post by y***@sdf.org
After recompiling an GENERIC NetBSD 8_Stable kernel with npf
pseudo-device, I could ping the internet from the console, but
not from machines attached to my lan...
Here are some diagnostics...
# npfctl list -n

Is empty... no NAT taking place I can tell?

I even tried a simple, promiscuous ruleset and that also fails to NAT?

# npfctl show
# filtering: active
# config: loaded

procedure "log"

map wm0 dynamic any -> 10.1.10.10 pass family inet4 from 192.168.1.0/24 #
id="1"

group "external" on wm0 # id="1"
pass stateful flags S/FSRA # id="2"

group "internal" on bge0 # id="3"
pass stateful flags S/FSRA # id="4"

group # id="5"
pass final on lo0 all # id="6"
block all # id="7"

# tcpdump -n -e -ttt -i npflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on npflog0, link-type PFLOG (OpenBSD pflog file), capture size
262144 bytes
00:00:00.000000 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61991 > 172.217.4.46.443: Flags [S], seq 3013848542, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000005 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61991 > 172.217.4.46.443: Flags [S], seq 3013848542, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000004 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 172.217.4.46 unreachable, length 36
00:00:00.076195 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61992 > 52.85.79.57.443: Flags [S], seq 2317300665, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000005 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61992 > 52.85.79.57.443: Flags [S], seq 2317300665, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000003 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 52.85.79.57 unreachable, length 36
00:00:00.091642 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61971 > 35.201.124.9.443: Flags [S], seq 638454253, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000004 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61971 > 35.201.124.9.443: Flags [S], seq 638454253, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
00:00:00.000004 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 35.201.124.9 unreachable, length 36

Post by y***@sdf.org
Comments/pointers welcome...

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Swindells

2021-01-03 19:43:31 UTC

Is empty... no NAT taking place I can tell?

How have you configured the machines on the lan ?

Post by y***@sdf.org
I even tried a simple, promiscuous ruleset and that also fails to NAT?
# npfctl show
# filtering: active
# config: loaded
procedure "log"
map wm0 dynamic any -> 10.1.10.10 pass family inet4 from 192.168.1.0/24 #
id="1"

You seem to be using 192.168.1.0/24 for your lan, where does 10.1.10.10
come into the equation ?

I'm guessing that wm0 is your external interface, what is the IPv4
address ?

I'm using a slightly modified version of soho_gw-npf.conf and it does
NAT fine.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

y***@sdf.org

2021-01-03 21:47:14 UTC

Is empty... no NAT taking place I can tell?

How have you configured the machines on the lan ?

As you point out below, 192.168.1.0/24 this is the map rule with ipf:
map wm0 192.168.1.0/24 -> 0/32 portmap tcp/udp 6970:65535

The internal router interface is 192.168.1.1 (bge0)

This is a working (for > 10 years) ipnat/ipf setup...

You seem to be using 192.168.1.0/24 for your lan, where does 10.1.10.10
come into the equation ?
I'm guessing that wm0 is your external interface, what is the IPv4
address ?

Yeah...oddball setup...the "external", to the NetBSD router
interface, really is 10.1.10.10 (wm0).

10.1.10.1 (the only other member of this intermediate local net)
is the Comcast router and it is bidirectionally routing
10.1.10.1 to and from a dynamic ip...

This part works fine, or at least does under ipnat/ipf...

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Swindells

2021-01-03 22:05:39 UTC

You seem to be using 192.168.1.0/24 for your lan, where does 10.1.10.10
come into the equation ?
I'm guessing that wm0 is your external interface, what is the IPv4
address ?

Have you tried copying what is in soho_gw-npf.conf ?

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$localnet = { 192.168.1.0/24 }

$int_if = "bge0"

map $ext_if dynamic $localnet -> $ext_v4

Plus some group entries based on the ones in the example file.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

y***@sdf.org

2021-01-03 22:26:30 UTC

You seem to be using 192.168.1.0/24 for your lan, where does 10.1.10.10
come into the equation ?
I'm guessing that wm0 is your external interface, what is the IPv4
address ?

Have you tried copying what is in soho_gw-npf.conf ?

This is what I have, I started with this example:
# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
#
# SOHO border
#
# 2020.12.31 - Gettting ready to migrate from ipnat/ipf to npf prior to
upgrade NetBSD 8 --> 9
# Originally this this example was for a natting border
gateway/webserver/mailserver/nameserver
# IPv4 only
#

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_v6 = inet6(wm0)
$ext_addrs = { inet4(wm0), inet6(wm0) }

$int_if = "bge0"
$int_v4 = inet4(bge0)

# a table to house e.g. block candidates in
#table <block> type hash file "/usr/share/examples/npf/hashtablefile"
# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
#table <int-block> type tree dynamic

$services_tcp = { http, https, smtp, domain }
$services_udp = { domain, ntp }
$localnet0 = { 192.168.1.0/24 }

# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
#set portmap.max_port 51200
#set portmap.min_port 2048
map $ext_if dynamic $localnet0 -> $ext_v4

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Robert Swindells

2021-01-03 22:45:30 UTC

Post by Robert Swindells
Have you tried copying what is in soho_gw-npf.conf ?

# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $

Ok, what about the rest of the file, you didn't show any rule groups.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

y***@sdf.org

2021-01-04 01:29:52 UTC

Post by Robert Swindells
Ok, what about the rest of the file, you didn't show any rule groups.

I tried the example pretty much as-is, eventually tried this for
debugging, which should be about as promiscuous and
unfiltered as possible:

$ext_if = "wm0"
$ext_v4 = inet4(wm0)

$int_if = "bge0"
$int_v4 = inet4(bge0)

$localnet0 = { 192.168.1.0/24 }

map $ext_if dynamic $localnet0 -> $ext_v4

procedure "log" {
log: npflog0
}

group "external" on $ext_if {
pass stateful all apply "log"
}

group "internal" on $int_if {
pass stateful all apply "log"
}

group default {
pass final on lo0 all
block all
}

From watching the log, and peer behavior, no packets
are getting mapped.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

i***@netbsd.org

2021-01-03 16:37:37 UTC

Hello,

What is this fear of ipfilter on netbsd9 that I'm keeping reading
about in side remarks? The only real error report that I found was
specific to NetBSD/Xen PV with ipfilter loaded as module, and some
CPP definition discrepancy assumed as the reason.

I'm running IPfilter on NetBSD/amd64 for a test with a 9.1_STABLE
kernel. If I should expect problems, I'd like to learn about them
now.

-is

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

y***@sdf.org

2021-01-03 17:29:00 UTC

Post by i***@netbsd.org
Hello,

What is this fear of ipfilter on netbsd9 that I'm keeping reading
about in side remarks? The only real error report that I found was
specific to NetBSD/Xen PV with ipfilter loaded as module, and some
CPP definition discrepancy assumed as the reason.
I'm running IPfilter on NetBSD/amd64 for a test with a 9.1_STABLE
kernel. If I should expect problems, I'd like to learn about them
now.

To be really clear, I am not aware of any specific concerns,
only the long stated references to npf being the One NetBSD
packet filter/NAT going forward. Also, references to ipfilter
no longer being maintained... this question pops up on tech-net
from time to time...

My thinking was that if npf really is the way forward, I'd
just go with it... but...as I was unable to get NAT working on
my NetBSD 8ish kernel...will try npf once more with a 9_stable
kernel, then test out ipfilter in 9 and put npf on the back
burner again...

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Greg Troxel

2021-01-03 18:55:03 UTC