I am trying to configure npf in a router/nat context and unclear on some
things, with the documentation not being clear enough to unconfuse me.
This is intended today as a series of questions I'd like answers for,
although I see it as also serving as a documentation bug report.
1) There are groups. The documentation says
"NPF requires that all rules be defined within groups. Groups can be
thought of as higher level rules which can contain subrules. Groups may
have the following options: name, interface, and direction. Packets
matching group criteria are passed to the ruleset of that group. If a
packet does not match any group, it is passed to the default group. The
default group must always be defined."
a) Will a packet be processed by all groups that match it (meaning
direction and interface)? If a packet is processed by multiple
groups, is there a defined order? Is it like the rules are the
concatenation of the groups? Or is there some
first-matching-group, and if so is the ordering from the config
file, or ?
b) Is it really meant that "if a packet does not match any defined
group, then -- and only then -- will it be processed by the special
group default (which is default NOT in quotes, as a keyword not a
name)"?
c) If a packet is ever processed by more than one group, how does
`final` work?
d) I don't see any ability to use nested groups. (Given limited
selectors, I don't see why I would want to.) Is that correct?
2) It seems obvious (dangerous I know) that a packet might be processed
on ingress on $lan_if and then on egress on $wan_if, and that these
processings should be independent. Is this true?
3) In some other firewalls, I have seen a concept of separate processing
for
- incoming on an interface
- from the forwarding part of the stack inbound to the host
- to the forwarding part of the stack outbound from the host
- outgoing on an interface
I don't see this concept in npf.
a) Am I reading the docs correctly?
b) Assuming so, and I want to
- block packets heading to the host to most ports, except for a few
- allow outbound transit packets without regard to blocked ports
how do I do this? It looks like I have to have my block rules
narrowed by $ifaddrs and run on each interface, making groups
awkward. Surely there must be a better way, as I don't think my
intent is unusual.
I don't see a way to put dst-is-host packets in a group.
c) Or is inbound rule processing limited to packets that are for this
host? Outbound seems not to be limited like that, because
otherwise NAT wouldn't work.
4) I understand stateful processing on outbound, given a default block
on inbound. I understand stateful processing for TCP on inbound so
that bare SYN to allowed ports creates a state entry, and then future
packets that match the flow are allowed.
Why would I want to or not want to use stateful processing for
inbound UDP? Inbound ICMP echo?
5) The NAT examples almost all suggest a group with "pass stateful out
final".
Is there any reason there needs to be such a group/rules if the rules
that exist anyway on the outbound interface have "pass stateful out"?
Thanks,
gdt
