Re: family inet and parameter stateful | npf.conf

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

Darrel <levitch%iglou.com@localhost> wrote:
> > If the problem still occurs, then can you describe the connection i.e.
> > what/where exactly is your source and destination?
> >
> > Just to be sure -- when using "stateful", one should be aware that for
> > TCP connections the rule should apply for the initiating (SYN) packet.
> > If, for example, direction is confused and the rule is applied for the
> > reply (SYN-ACK) packet - connection tracking engine will not try to fix
> > it up and will eventually time out the state.
> >
> 
> The particular server that I had login problems with is okay now, rather
> I have been logged into it for a couple of days.  Perhaps I had an extra 
> line in my npf.conf that was causing my problem, but am not certain. 
> Having just begun to use NPF, I made lots of rapid changes and was losing 
> sleep.
> 
> So to hopefully further clarify "stateful".  What I am using now:
> 
>          pass stateful out final family inet from $if_ext apply "rid"
>          pass stateful in family inet to $if_ext
> 
> should be changed to:
> 
>          pass stateful out final family inet from $if_ext apply "rid"
>          pass in family inet to $if_ext

No, it would be the case I described.  The second rule passes incoming
traffic without state creation and the outgoing reply packet (SYN-ACK)
from your machine would match the first rule, which would create the
state on a wrong direction.  So your first case is correct.  You can
also limit the first rule to TCP and SYN, e.g.:

pass stateful out final family inet proto tcp flags S/SA from $if_ext

> or am I still missing something?  I am particularly wondering about 
> logging- is this set up by the user or perhaps have some defaults that 
> might not need much tweaking?

npflog is just a virtual interface for BPF tap.  You can tcpdump it.

-- 
Mindaugas