npf on a router: configuration issues

To: netbsd-users%netbsd.org@localhost
Subject: npf on a router: configuration issues
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 01 Apr 2025 08:57:38 -0400

I am trying to configure npf in a router/nat context and unclear on some
things, with the documentation not being clear enough to unconfuse me.
This is intended today as a series of questions I'd like answers for,
although I see it as also serving as a documentation bug report.

1) There are groups.  The documentation says

   "NPF requires that all rules be defined within groups.  Groups can be
   thought of as higher level rules which can contain subrules.  Groups may
   have the following options: name, interface, and direction.  Packets
   matching group criteria are passed to the ruleset of that group.  If a
   packet does not match any group, it is passed to the default group.  The
   default group must always be defined."

   a) Will a packet be processed by all groups that match it (meaning
      direction and interface)?  If a packet is processed by multiple
      groups, is there a defined order?  Is it like the rules are the
      concatenation of the groups?  Or is there some
      first-matching-group, and if so is the ordering from the config
      file, or ?

   b) Is it really meant that "if a packet does not match any defined
      group, then -- and only then -- will it be processed by the special
      group default (which is default NOT in quotes, as a keyword not a
      name)"?

   c) If a packet is ever processed by more than one group, how does
     `final` work?

   d) I don't see any ability to use nested groups.  (Given limited
   selectors, I don't see why I would want to.)  Is that correct?

2) It seems obvious (dangerous I know) that a packet might be processed
   on ingress on $lan_if and then on egress on $wan_if, and that these
   processings should be independent.  Is this true?

3) In some other firewalls, I have seen a concept of separate processing
   for
    - incoming on an interface
    - from the forwarding part of the stack inbound to the host
    - to the forwarding part of the stack outbound from the host
    - outgoing on an interface

   I don't see this concept in npf.

   a) Am I reading the docs correctly?

   b) Assuming so, and I want to
        - block packets heading to the host to most ports, except for a few
        - allow outbound transit packets without regard to blocked ports
      how do I do this?  It looks like I have to have my block rules
      narrowed by $ifaddrs and run on each interface, making groups
      awkward.  Surely there must be a better way, as I don't think my
      intent is unusual.

      I don't see a way to put dst-is-host packets in a group.

   c) Or is inbound rule processing limited to packets that are for this
      host?  Outbound seems not to be limited like that, because
      otherwise NAT wouldn't work.

4) I understand stateful processing on outbound, given a default block
   on inbound.  I understand stateful processing for TCP on inbound so
   that bare SYN to allowed ports creates a state entry, and then future
   packets that match the flow are allowed.

   Why would I want to or not want to use stateful processing for
   inbound UDP?  Inbound ICMP echo?

5) The NAT examples almost all suggest a group with "pass stateful out
   final".

   Is there any reason there needs to be such a group/rules if the rules
   that exist anyway on the outbound interface have "pass stateful out"?


Thanks,
gdt

Prev by Date: tiger vncserver continues running after exiting desktop
Next by Date: Re: NetBSD tools/gmp build.sh issues on Solaris-11.4
Previous by Thread: tiger vncserver continues running after exiting desktop
Next by Thread: make CD music
Indexes:

Home | Main Index | Thread Index | Old Index