Setting up NetBSD Packet Filter (NPF)

Requirements

You should have the npf and bpfilter drivers built-in. They are by default incl. for XEN/PV, since v9. Otherwise build a custom kernel. Also enable blacklistd and the required kernel modules first – as you cannot load those in securelevel 1. Ehm, this is why we use securelevel 0 instead, for magic happens and it goes to 1 by itself afterwards.

    pseudo-device   npf                     # NPF packet filter
    pseudo-device   bpfilter                # Berkeley packet filter

check

    modstat | grep npf
    modstat | grep bpf
    modstat | grep jit

IP forwarding

manually

    sysctl net.inet.ip.forwarding
    sysctl kern.securelevel
    sysctl -w net.inet.ip.forwarding=1
    sysctl -w kern.securelevel=0

at boot time

    mv -i /etc/sysctl.conf /etc/sysctl.conf.dist
grep -vE '^(#|$)' /etc/sysctl.conf.dist > /etc/sysctl.conf
    echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
    echo kern.securelevel=0 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

NAT

port forwarding is commented out

    vi /etc/npf.conf

    set bpf.jit on;

    group default {
            pass in all
            pass out all
    }

    map FACING-NIC dynamic INTERNAL/24 -> FACING-IP
    #map FACING-NIC dynamic proto tcp INTERNAL-IP port XXXX <- FACING-IP port XXXX

    chmod 600 /etc/npf.conf

Ready to go

start & enable

    echo securelevel=0 >> /etc/rc.conf
    echo npf=yes >> /etc/rc.conf
    cat /etc/rc.conf

    tail -F /var/log/messages &
    /etc/rc.d/npf start

status

    npfctl show

edit & reload

    cp -pi /etc/npf.conf /etc/npf.conf.`date +%s`
    vi /etc/npf.conf
    /etc/rc.d/npf reload

Acceptance

check that your gateway settings survive a reboot

    shutdown -r now

Troubles

    npfctl: error loading the bpfjit module; performance will be degraded: Operation not permitted
    npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf

TODO logging

    ifconfig npflog0 create
    echo create > /etc/ifconfig.npflog0

Resources

NPF (firewall) https://en.wikipedia.org/wiki/NPF_(firewall)

kernel secure levels https://wiki.netbsd.org/tutorials/kernel_secure_levels/

setup

NPF – the packet filter of NetBSD http://www.netbsd.org/~rmind/pub/npf_manual_netbsd_6.pdf

Configuration https://github.com/rmind/npf/blob/master/docs/configuration.md

npf.conf – NPF packet filter configuration file https://man.netbsd.org/npf.conf.5

npf-params – tunable NPF parameters https://man.netbsd.org/npf-params.7

/usr/share/examples/npf/ http://cvsweb.netbsd.org/bsdweb.cgi/src/share/examples/npf/?only_with_tag=MAIN

dev

NPF improvements http://wiki.netbsd.org/projects/project/npf_improvements/

NPF tasklist https://www.netbsd.org/~rmind/npf/__tasklist.html

Web UI for NPF https://wiki.netbsd.org/projects/project/npf_web_ui/

Rule Verification + UI for NPF on NetBSD https://www.cs.cmu.edu/~412/lectures/L03_Firewall_Proposal.pdf

kernel

Loading NetBSD kernel modules https://unix.stackexchange.com/questions/348530/loading-netbsd-kernel-modules

Introduction to NetBSD loadable kernel modules http://www.home.unix-ag.org/bmeurer/NetBSD/howto-lkm.html

bpfjit – Just-In-Time compiler for Berkeley Packet Filter https://man.netbsd.org/bpfjit.4

troubleshooting

Re: npf ‘bpf.jit’ errors out? https://mail-index.netbsd.org/tech-net/2017/04/10/msg006311.html

NPF on domU - more clarity required https://mail-index.netbsd.org/netbsd-users/2014/12/26/msg015576.html

Re: bpfjit and npf on Xen https://mail-index.netbsd.org/tech-net/2016/09/14/msg006102.html

Trash

Update: since netbsd v9 - no need to recompile your xen kernel anymore!

As for a XEN guest, quoting the XEN howto

In standard kernels, npf is a module, and thus cannot be loaded in a DOMU kernel.

therefore compile your own NetBSD/XEN domU kernel and disable PF for that unless you wanna watch the following error

    ../../../../net/npf/npf_if.c:53:2: error: #error "NPF and PF are mutually exclusive; please select one"

GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH