minix/netbsd
1
0
Fork 0
mirror of https://github.com/Stichting-MINIX-Research-Foundation/netbsd.git synced 2025-09-13 17:20:03 -04:00
Code Issues Packages Projects Releases Wiki Activity
netbsd/share/examples/npf/host-npf.conf
Lionel Sambuc db4f849365 2015/10/10 12:00:00 UTC
2015-10-15 10:25:28 +02:00

132 lines
4.3 KiB
Plaintext
Raw Permalink Blame History

# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
#
# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
# it also does IPSEC on the wifi
#
$wired_if = "wm0"
$wired_v4 = { inet4(wm0) }
$wired_v6 = { inet6(wm0) }
$wifi_if = "iwn0"
$wifi_v4 = { inet4(iwn0) }
$wifi_v6 = { inet6(iwn0) }
$dhcpserver = { 198.51.100.1 }
# sample udp service
$services_udp = { ntp }
# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }
# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
log: npflog0
}
# make a service running on a high port on 127.0.0.1 available on $wired_if
# see also the pass rules below
map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80
group "wired" on $wired_if {
# not being picky about our own address here
pass in final family inet6 proto ipv6-icmp all
pass out final family inet6 proto ipv6-icmp all
pass in final family inet4 proto icmp all
pass in final family inet4 proto tcp \
from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet4 proto udp \
from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet6 proto tcp to $wired_v6 port ssh
# the port mapping
# Note the filter sees packets before translation
pass in final family inet4 proto tcp from any to $wired_v4 port 80
pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any
pass in final family inet4 proto tcp flags S/SA \
from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet4 proto udp \
from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet6 proto tcp flags S/SA \
from $backupsrv_v6 to $wired_v6 port $backup_port
pass in final family inet6 proto udp \
from $backupsrv_v6 to $wired_v6 port $backup_port
pass stateful in final family inet6 proto udp to $wired_v6 \
port $services_udp
pass stateful in final family inet4 proto udp to $wired_v4 \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $wired_v6
pass stateful out final family inet4 proto tcp flags S/SA \
from $wired_v4
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $wired_v6
pass out final family inet4 proto tcp from $wired_v4
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $wired_v6
pass stateful out final family inet4 from $wired_v4
}
group "wifi" on $wifi_if {
# linklocal
pass in final family inet6 proto ipv6-icmp to fe80::/10
pass out final family inet6 proto ipv6-icmp from fe80::/10
# administrative multicasts
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
pass in final family inet6 proto ipv6-icmp to $wifi_v6
pass in final family inet4 proto icmp to $wifi_v4
pass in final family inet4 proto tcp \
from any port bootps to $wifi_v4 port bootpc
pass in final family inet4 proto udp \
from any port bootps to $wifi_v4 port bootpc
pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
pass in final family inet6 proto udp to $wifi_v6 port $services_udp
pass in final family inet4 proto udp to $wifi_v4 port $services_udp
# IPSEC
pass in final family inet6 proto udp to $wifi_v6 port isakmp
pass in final family inet4 proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
pass in family inet4 proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $wifi_v6
pass stateful out final family inet4 proto tcp flags S/SA \
from $wifi_v4
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $wifi_v6
pass out final family inet4 proto tcp from $wifi_v4
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $wifi_v6
pass stateful out final family inet4 from $wifi_v4
}
group default {
pass final on lo0 all
block all apply "log"
}
Reference in New Issue View Git Blame Copy Permalink