tested on netbsd 9.3
you need to rebuild the kernel to disable NPF
#pseudo-device npf # NPF packet filter
and enable those instead
pseudo-device pf # PF packet filter
pseudo-device pflog # PF log interface
and eventually PFSYNC and ALTQ if you like, see kernel and tweaks.
enable routing at boot time
mv -i /etc/sysctl.conf /etc/sysctl.conf.dist
grep -vE '^(#|$)' /etc/sysctl.conf.dist > /etc/sysctl.conf
echo kern.securelevel=1 >> /etc/sysctl.conf
echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
reboot and check
shutdown -r now
sysctl kern.securelevel
sysctl net.inet.ip.forwarding
beware NAT rules need to show up before FILTER rules
cd /etc/ mv -i pf.conf pf.conf.dist vi pf.conf # snat nat on xennet0 inet from INTERNAL-CIDR to any -> FACING-IP # dnat rdr on xennet0 inet proto tcp from any to any to port XX -> INTERNAL-IP port XX set skip on lo pass in on xennet0 all pass out on xennet0 all pass in on xennet1 all pass out on xennet1 all pass in on xennet2 all pass out on xennet2 all
apply
echo securelevel=1 >> /etc/rc.conf echo pf=yes >> /etc/rc.conf /etc/rc.d/pf restart
tail -F /var/log/messages &
check and enable
pfctl -nf /etc/pf.conf /etc/rc.d/pf start
status
/etc/rc.d/pf status pfctl -sq pfctl -s state
disable
/etc/rc.d/pf stop
manually enable/reload/disable
pfctl -e pfctl -f /etc/pf.conf pfctl -d
you will notice lo catches lo0
pfctl -vsI
(seen on freebsd)
Rules must be in order: options, normalization, queueing, translation, filtering
==> define NAT before FILTER rules
(seen on netbsd)
#error "NPF and PF are mutually exclusive; please select one"
==> rebuild kernel and comment out the npf pseudo-device
https://man.netbsd.org/pf.conf.5
https://man.freebsd.org/cgi/man.cgi?query=pf.conf
https://forums.freebsd.org/threads/sincerely-ask-for-help-about-lo0-settings.87541/ ==> -vsI