Re: npf on a router: configuration issues

To: NetBSD Users Discussion List <netbsd-users%netbsd.org@localhost>
Subject: Re: npf on a router: configuration issues
From: "Greg A. Woods" <woods%planix.ca@localhost>
Date: Sat, 12 Apr 2025 18:28:48 -0700

At Fri, 11 Apr 2025 17:13:42 -0400, Greg Troxel <gdt%lexort.com@localhost> wrote:
Subject: Re: npf on a router: configuration issues
>
> It is still sensible to want to be able to write a firewall rule that
> will only be matched for a packet that is being input to the host
> portion (delivered to a socket, more or less), or has been emitted from
> the host portion (sent by a socket, more or less).  I think it's a
> design bug in a firewall not to be able to do that simply and
> straightforwardly.

I think the answer was given:

Robert Elz <kre%munnari.OZ.AU@localhost> wrote:
>
> If that is lo0 (or more correctly, loN for any N, even though almost
> no-one ever configures more than lo0, it can actually be done),
> the packet ends up being sent, via the protocol stack, to an application
> (if there is one which wants it) or otherwise being processed locally
> (eg: ICMP), or dropped if nothing wants it.
>
> [[....]]
>
> This is why the routing table needs a route for every addr the system
> owns, with the dest interface being lo0.   Even sending (IP) packets
> from one application to another on the same host use this model and
> processing sequence.

So for the first part filter incoming packets on lo0 to control what is
being delivered to any application socket.

For IPF I use rules like these, which I would think should translate
directly into NPF syntax:

	 pass in on lo0 all head LOOPin
	 pass in quick from (de0)/32 to any group LOOPin
	 pass in quick from (de1)/32 to any group LOOPin
	 pass in quick from 127.0.0.0/8 to any group LOOPin
	 block in log quick all group LOOPin

For outgoing packets from the host, well they're being routed via an
interface to whatever destination they have, so you can filter them on
each outgoing interface, no?

For IPF I use rules like these:

	pass out on de1 all head DSLout
	##
	## don't allow ourselves to spoof with source != our own
	## interface address.
	##
	pass out quick from (de1)/32 to any group DSLout
	block out log all group DSLout

--
					Greg A. Woods <gwoods%acm.org@localhost>

Kelowna, BC     +1 250 762-7675           RoboHack <woods%robohack.ca@localhost>
Planix, Inc. <woods%planix.com@localhost>     Avoncote Farms <woods%avoncote.ca@localhost>

Attachment: pgp0Ea1TcQpIU.pgp
Description: OpenPGP Digital Signature

References:
- Re: npf on a router: configuration issues
  - From: Greg Troxel
- npf on a router: configuration issues
  - From: Greg Troxel
- Re: npf on a router: configuration issues
  - From: Christoph Badura
- Re: npf on a router: configuration issues
  - From: Robert Elz
- Re: npf on a router: configuration issues
  - From: Greg Troxel

Prev by Date: Re: npf on a router: configuration issues
Next by Date: Re: Another X problem in 10.x (regression compared to 9)
Previous by Thread: Re: npf on a router: configuration issues
Next by Thread: make CD music
Indexes:

Home | Main Index | Thread Index | Old Index