I have been struggling to get NPF up and running on a NetBSD VPS, specifically a Xen domU. I really think for security reasons NPF should be nearly ready to go, so that we don't have to spend hours researching and pulling our hair out trying to fix what should be a straightforward issue, which leaves a machine vulnerable when it probably needs protection most. It appears this problem came up some years ago, but Googling provides me with no fix.
I understand that NetBSD as a Xen domU does not support kernel modules. So the recommendation in the NPF documentation to "modload" npf_ext_log does not apply here. Fine, I took a wild guess and compiled a new Xen domU kernel with the following two lines added to make sure NPF logging and normalisation functionality was compiled into the kernel instead: options NPF_EXT_LOG options NPF_EXT_NORMALISE Needless to say I also made sure pseudo-device npf was enabled as well. I also made sure /dev/npf existed, and I created /etc/ifconfig.npflog0 with just the word "create". I kept the contents of npf.conf to a minimum for troubleshooting, but NPF just refuses to load. This is the error I get at boot: npfctl: cannot open '/dev/npf': Device not configured npfctl: cannot open '/dev/npf': Device not configured /etc/rc.d/npf exited with code 1 I have /usr on a separate partition which might cause this error at boot but should not cause the error when I do /etc/rc.d/npf reload ; /etc/rc.d/npf start after the system is up and running. Here are the contents of npf.conf: =================================================================== # /etc/npf.conf $wired_v4 = { inet4(xennet0) } procedure "log" { log: npflog0 } group "wired" on $wired_v4 { # disable 80 until we are sure this is running properly # pass in final family inet4 proto tcp to $wired_v4 port 80 pass in final family inet4 proto tcp to $wired_v4 port 22022 pass stateful out final family inet4 proto tcp flags S/SA \ from $wired_v4 pass out final family inet4 proto tcp from $wired_v4 pass stateful out final family inet4 from $wired_v4 } group default { pass final on lo0 all block all apply "log" } =================================================================== I have faced this issue on several occasions now and it is most frustrating. I would like to be able to have a basic firewall up and running within five minutes of setting up a machine. I'd been looking forward to trying NPF but it feels as though I'm in the seven circles of Hell trying to get it to run. -- Gerard Lally