NPF Port Range Mapping and Network Segregation

To: tech-net%netbsd.org@localhost
Subject: NPF Port Range Mapping and Network Segregation
From: Pete Long <pete%valar.uk.net@localhost>
Date: Tue, 21 Jan 2025 11:57:26 +0000

Hi all,

I've recently started using NetBSD 10.1 in a router/firewall context. All is working fine but I have a couple of questions about NPF.

First of all I was wondering if it was possible to map a port range in NPF, specifically to allow FTP PASV to work correctly and so I can have my FTP server configured on another machine on the network.

I can see in npf.conf.5 that the following terms are used but I'm not sure how to interpret the syntax or if they're relevant to mapping a port range they way I think they might be.

port-opts = "port" ( port-num | port-from "-" port-to | var-name )
addr-mask = addr [ "/" mask ]

Here are the relevant parts of my npf.conf so far:

map $ext_if dynamic proto tcp 192.168.0.6 port 3000-4000 <- $ext_if port 3000-4000 # this is not valid according to npfctl

pass stateful in final family inet4 proto tcp to $ext_if port 21 # there are no errors shown for this line

pass stateful in final family inet4 proto tcp to $ext_if port 49152-52000 # there are no errors shown for this line

As a temporary workaround, I have my FTP server running on the NetBSD router/firewall itself.

Finally how can I segregate two different networks using NPF? Here's what I have right now and there are no VLANs involved.

group "wifi" on $wifi_if {

pass in all
pass out all

}

group "internal" on $int_if {

block stateful in from $wifinet
pass in all
pass out all

}

group default {

pass final on lo0 all
block final all apply "log"

}

The 'wifi' interface connects to a wifi access point via a network of 10.0.0.0/8. My phone can join the SSID for this wifi network and get out on to the Internet via my NetBSD router/firewall. However it can also connect to services on 192.168.0.0/24 (and vice versa) which is precisely what I'd like to prevent. This 192.168.0.0/24 network is shown in the group 'internal' above.

If I leave the 'wifi' group empty, the phone cannot connect to anything which is expected and is about the only progress I've made so far to control this wifi network.

Thank you for your time and for any information you can provide.

Pete.

Follow-Ups:
- Re: NPF Port Range Mapping and Network Segregation
  - From: Hector

Prev by Date: Re: ipv6 gateway on different subnet
Next by Date: Re: NPF Port Range Mapping and Network Segregation
Previous by Thread: ipv6 gateway on different subnet
Next by Thread: Re: NPF Port Range Mapping and Network Segregation
Indexes:

Home | Main Index | Thread Index | Old Index