Re: NPF and PF

To: Robert Swindells <rjs%fdy2.co.uk@localhost>
Subject: Re: NPF and PF
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Thu, 17 Dec 2020 17:07:03 +0100

On Thu, Dec 17, 2020 at 03:53:33PM +0000, Robert Swindells wrote:
> 
> Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> >On Wed, Dec 16, 2020 at 05:45:36PM +0000, Robert Swindells wrote:
> >> 
> >> Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> >> >On Wed, Dec 16, 2020 at 04:07:54PM +0100, Hauke Fath wrote:
> >> >> [...]
> >> >> IMHO, the NetBSD packet filter supports SOHO installations at best; 
> >> >> anything else is misleading.
> >> >
> >> >Even at home, I stay with ipf for multihomed routers.
> >> >npf just lacks the features I use (as I already explained several times).
> >> 
> >> Prompted by today's thread I looked back at recent firewall discussions.
> >> 
> >> I don't see enough of a description of what you want to do to be able
> >> to work on fixing your problem.
> >
> >My first mail on this topic was 26 Oct 2012 on tech-net@
> >I then did send a more complete example 21 Aug 2018, as a followup to a
> >mail from you on developers@ (you were in Cc).
> >I dind't get any follow up.
> 
> By "what you want to do" I guess I'm really looking for an even higher
> level description of where you want firewall operations to get done.

first filter input packets based on source address
(default: block all).
Then, if not blocked above, filter based on destination address
(default: block all too)

> 
> Are you trying to isolate Xen VMs from each other or just protect them
> from the outside ?

both. But I have similar configs on routers, this is not specific to Xen

> 
> You write that you have BRIDGE_IPF enabled, presumably you add some
> interfaces to a bridge, knowing which ones would be a help in
> understanding your configuration.

the domU's interface (from the dom0 view) are bridged with real
interfaces (or vlan(4) in my case). But really, it doesn't matter.
On my routers I have a similar setup and no bridge involved.
The problem is really to have a packet go through several rulesets,
where a ruleset could decide to block the packet, or let it pass to
the next one.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: NPF and PF
  - From: Mouse

References:
- Re: NPF and PF
  - From: Manuel Bouyer
- Re: NPF and PF
  - From: Robert Swindells

Prev by Date: Re: NPF and PF
Next by Date: Re: NPF and PF
Previous by Thread: Re: NPF and PF
Next by Thread: Re: NPF and PF
Indexes:

Home | Main Index | Thread Index | Old Index