Re: NPF Port Range Mapping and Network Segregation

[Pete Long <pete%valar.uk.net@localhost>]

> On 21 Jan 2025, at 16:09, Hector <hector%netdog.org@localhost> wrote:
> 
> On 1/21/25 05:57, Pete Long wrote:
>> Finally how can I segregate two different networks using NPF? Here's what I have right now and there are no VLANs involved.
>> group "internal" on $int_if {
>> block stateful in from $wifinet
>> pass in all
>> pass out all
>> }
> 
> 
> Probably your 'block stateful in from $wifinet' is overridden by the subsequent 'pass in all'
> 
> NPF.CONF(5) says:
> 
>> If a packet matches a rule which has the final option set, this rule is
>>     considered the last matching rule, and evaluation of subsequent rules is
>>     skipped.  Otherwise, the last matching rule is used.
> 

Thanks for the suggestion. Unfortunately I'm still unable to stop packets passing between the two interfaces:

group "wifi" on $wifi_if {

block in final from $localnet
block out final to $localnet
pass in all
pass out all
}


group "internal" on $int_if {
block in final from $wifinet
block out final to $wifinet
pass in all
pass out all
}



group default {

pass final on lo0 all
block all

}


I've run '/usr/sbin/tcpdump -n -e -ttt -i npflog0' and can see references to rules like '18' allowing communication between the two interfaces, which then don't appear when I try 'npfctl show'. The highest I can see is 14. Is this hexadecimal?

00:00:00.706712 rule 18.rules.0/0(match): pass out on bge0: 10.0.0.5 > 192.168.0.5: ICMP echo request, id 30840, seq 30840, length 64

Say 10.0.0.0/8 is the wifi network and 192.168.0.0/24 is my wired network which I want to keep seperate from the wifi network.

(I'm trying as well to anonymize my internal networks and ports for this list so that'll trip me up now and again. I hope that doesn't really matter for the purposes of illustration)

Thanks.


Pete.