You should have the npf and bpfilter drivers built-in. They are by default incl. for XEN/PV, since v9. Otherwise build a custom kernel. Also enable blacklistd and the required kernel modules first – as you cannot load those in securelevel 1. Ehm, this is why we use securelevel 0 instead, for magic happens and it goes to 1 by itself afterwards.
pseudo-device npf # NPF packet filter pseudo-device bpfilter # Berkeley packet filter
check
modstat | grep npf modstat | grep bpf modstat | grep jit
manually
sysctl net.inet.ip.forwarding sysctl kern.securelevel sysctl -w net.inet.ip.forwarding=1 sysctl -w kern.securelevel=0
at boot time
mv -i /etc/sysctl.conf /etc/sysctl.conf.dist grep -vE '^(#|$)' /etc/sysctl.conf.dist > /etc/sysctl.conf echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf echo kern.securelevel=0 >> /etc/sysctl.conf cat /etc/sysctl.conf
port forwarding is commented out
vi /etc/npf.conf
# TODO enable this
# npfctl: the bpfjit module seems to be missing; performance will be degraded
set bpf.jit on;
group default {
pass in all
pass out all
}
# snat
map FACING-NIC dynamic INTERNAL-CIDR -> FACING-IP
# dnat
map FACING-NIC dynamic proto tcp INTERNAL-IP port XX <- FACING-IP port XX
chmod 600 /etc/npf.conf
start & enable
echo securelevel=0 >> /etc/rc.conf echo npf=yes >> /etc/rc.conf cat /etc/rc.conf tail -F /var/log/messages & /etc/rc.d/npf start
status
npfctl show
edit & reload
cp -pi /etc/npf.conf /etc/npf.conf.`date +%s` vi /etc/npf.conf /etc/rc.d/npf reload
check that your gateway settings survive a reboot
shutdown -r now
npfctl: error loading the bpfjit module; performance will be degraded: Operation not permitted npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf
ifconfig npflog0 create echo create > /etc/ifconfig.npflog0
NPF (firewall) https://en.wikipedia.org/wiki/NPF_(firewall)
kernel secure levels https://wiki.netbsd.org/tutorials/kernel_secure_levels/
NPF – the packet filter of NetBSD http://www.netbsd.org/~rmind/pub/npf_manual_netbsd_6.pdf
Configuration https://github.com/rmind/npf/blob/master/docs/configuration.md
npf.conf – NPF packet filter configuration file https://man.netbsd.org/npf.conf.5
npf-params – tunable NPF parameters https://man.netbsd.org/npf-params.7
/usr/share/examples/npf/ http://cvsweb.netbsd.org/bsdweb.cgi/src/share/examples/npf/?only_with_tag=MAIN
NPF improvements http://wiki.netbsd.org/projects/project/npf_improvements/
NPF tasklist https://www.netbsd.org/~rmind/npf/__tasklist.html
Web UI for NPF https://wiki.netbsd.org/projects/project/npf_web_ui/
Rule Verification + UI for NPF on NetBSD https://www.cs.cmu.edu/~412/lectures/L03_Firewall_Proposal.pdf
Loading NetBSD kernel modules https://unix.stackexchange.com/questions/348530/loading-netbsd-kernel-modules
Introduction to NetBSD loadable kernel modules http://www.home.unix-ag.org/bmeurer/NetBSD/howto-lkm.html
bpfjit – Just-In-Time compiler for Berkeley Packet Filter https://man.netbsd.org/bpfjit.4
Re: npf ‘bpf.jit’ errors out? https://mail-index.netbsd.org/tech-net/2017/04/10/msg006311.html
NPF on domU - more clarity required https://mail-index.netbsd.org/netbsd-users/2014/12/26/msg015576.html
Re: bpfjit and npf on Xen https://mail-index.netbsd.org/tech-net/2016/09/14/msg006102.html
NPF documentation https://rmind.github.io/npf/
Extensions API https://rmind.github.io/npf/extensions.html