Setting up NetBSD Packet Filter (NPF)

Bare-Metal vs XEN Guest

On Bare Metal

    cat > /etc/modules.conf <<-EOF
    npf
    npf_ext_log
    EOF
    echo modules=yes >> /etc/rc.conf

As for a XEN guest, quoting the XEN howto

In standard kernels, npf is a module, and thus cannot be loaded in a DOMU kernel.

therefore compile your own NetBSD/XEN domU kernel and disable PF for that unless you wanna watch the following error

    ../../../../net/npf/npf_if.c:53:2: error: #error "NPF and PF are mutually exclusive; please select one"

IP Forwarding

    sysctl net.inet.ip.forwarding
    sysctl -w net.inet.ip.forwarding=1

    cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
    echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

NAT

    ifconfig -a
    vi /etc/npf.conf

    group default {
            pass in all
            pass out all
    }

    map PUBLIC_INTERFACE dynamic SUBNET/24 -> PUBLIC_IP

    chmod 400 /etc/npf.conf

Ready to go

    echo npf=yes >> /etc/rc.conf
    cat /etc/rc.conf

    tail -F /var/log/messages

    /etc/rc.d/npf 
    /etc/rc.d/npf restart

eventually harden the thing if not already defined in the kernel config

    sysctl kern.securelevel
    sysctl -w kern.securelevel=1

    echo kern.securelevel=1 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

    echo securelevel=1 >> /etc/rc.conf

    shutdown -r now

Operations

    cp -pi /etc/npf.conf /etc/npf.conf.`date +%s`
    vi /etc/npf.conf

    /etc/rc.d/npf reload

TODO blacklists

    ls -lhF /etc/npf_blacklist
    touch /etc/npf_blacklist

TODO logging

    ifconfig npflog0 create
    echo create > /etc/ifconfig.npflog0

    npfctl show

Resources

overall

kernel

troubleshooting


Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml