host-npf.conf revision 1.1 
11.1Sspz# this is an example of NPF rules for a host (i.e., not routing) with
21.1Sspz# two network interfaces, wired and wifi
31.1Sspz#
41.1Sspz# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
51.1Sspz# it also does IPSEC on the wifi
61.1Sspz#
71.1Sspz$wired_if = "wm0"
81.1Sspz$wifi_if = "iwn0"
91.1Sspz
101.1Sspz$dhcpserver = { 198.51.100.1 }
111.1Sspz
121.1Sspz# sample udp service
131.1Sspz$services_udp = { ntp }
141.1Sspz
151.1Sspz# sample mixed service
161.1Sspz$backupsrv_v4 = { 198.51.100.11 }
171.1Sspz$backupsrv_v6 = { 2001:0DB8:404::11 }
181.1Sspz$backup_port = { amanda }
191.1Sspz
201.1Sspz# watching a tcpdump of npflog0, when it only logs blocks,
211.1Sspz# can be very helpful for building the rules you actually need
221.1Sspzprocedure "log" {
231.1Sspz     log: npflog0
241.1Sspz}
251.1Sspz
261.1Sspzprocedure "rid" {
271.1Sspz     normalise: "random-id"
281.1Sspz}
291.1Sspz
301.1Sspzgroup (name "wired", interface $wired_if) {
311.1Sspz
321.1Sspz	# not being picky about our own address here
331.1Sspz	pass in  final family inet6 proto ipv6-icmp all
341.1Sspz	pass out final family inet6 proto ipv6-icmp all
351.1Sspz	pass in  final family inet  proto icmp      all
361.1Sspz
371.1Sspz	pass in  final family inet proto tcp \
381.1Sspz		from $dhcpserver port bootps to $wired_if port bootpc
391.1Sspz	pass in  final family inet proto udp \
401.1Sspz		from $dhcpserver port bootps to $wired_if port bootpc
411.1Sspz
421.1Sspz	pass in final family inet6 proto tcp to $wired_if port ssh
431.1Sspz
441.1Sspz	pass in final family inet  proto tcp flags S/SA \
451.1Sspz		from $backupsrv_v4 to $wired_if port $backup_port 
461.1Sspz	pass in final family inet  proto udp \
471.1Sspz		from $backupsrv_v4 to $wired_if port $backup_port
481.1Sspz	pass in final family inet6 proto tcp flags S/SA \
491.1Sspz		from $backupsrv_v6 to $wired_if port $backup_port 
501.1Sspz	pass in final family inet6 proto udp \
511.1Sspz		from $backupsrv_v6 to $wired_if port $backup_port
521.1Sspz
531.1Sspz	pass stateful in final family inet6 proto udp to $wired_if \
541.1Sspz		port $services_udp
551.1Sspz	pass stateful in final family inet  proto udp to $wired_if \
561.1Sspz		port $services_udp
571.1Sspz
581.1Sspz	# only SYN packets need to generate state
591.1Sspz	pass stateful out final family inet6 proto tcp flags S/SA \
601.1Sspz		from $wired_if apply "rid" 
611.1Sspz	pass stateful out final family inet  proto tcp flags S/SA \
621.1Sspz		from $wired_if apply "rid" 
631.1Sspz	# pass the other tcp packets without generating extra state
641.1Sspz	pass out final family inet6 proto tcp from $wired_if apply "rid" 
651.1Sspz	pass out final family inet  proto tcp from $wired_if apply "rid" 
661.1Sspz
671.1Sspz	# all other types of traffic, generate state per packet
681.1Sspz	pass stateful out final family inet6 from $wired_if apply "rid" 
691.1Sspz	pass stateful out final family inet  from $wired_if apply "rid" 
701.1Sspz
711.1Sspz}
721.1Sspz
731.1Sspzgroup (name "wifi", interface $wifi_if) {
741.1Sspz	# linklocal
751.1Sspz	pass in  final family inet6 proto ipv6-icmp  to fe80::/10
761.1Sspz	pass out final family inet6 proto ipv6-icmp from fe80::/10
771.1Sspz
781.1Sspz	# administrative multicasts
791.1Sspz	pass in  final family inet6 proto ipv6-icmp  to ff00::/10
801.1Sspz	pass out final family inet6 proto ipv6-icmp from ff00::/10
811.1Sspz
821.1Sspz	pass in  final family inet6 proto ipv6-icmp to $wifi_if
831.1Sspz	pass in  final family inet  proto icmp      to $wifi_if
841.1Sspz
851.1Sspz	pass in  final family inet proto tcp \
861.1Sspz		from any port bootps to $wifi_if port bootpc
871.1Sspz	pass in  final family inet proto udp \
881.1Sspz		from any port bootps to $wifi_if port bootpc
891.1Sspz
901.1Sspz        pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh 
911.1Sspz
921.1Sspz        pass in final family inet6 proto udp to $wifi_if port $services_udp
931.1Sspz        pass in final family inet  proto udp to $wifi_if port $services_udp
941.1Sspz
951.1Sspz	# IPSEC
961.1Sspz	pass in final family inet6 proto udp to $wifi_if port isakmp
971.1Sspz	pass in final family inet  proto udp to $wifi_if port isakmp
981.1Sspz	pass in family inet6 proto esp all
991.1Sspz	pass in family inet  proto esp all
1001.1Sspz
1011.1Sspz	# only SYN packets need to generate state
1021.1Sspz        pass stateful out final family inet6 proto tcp flags S/SA \
1031.1Sspz		from $wifi_if apply "rid" 
1041.1Sspz        pass stateful out final family inet  proto tcp flags S/SA \
1051.1Sspz		from $wifi_if apply "rid" 
1061.1Sspz	# pass the other tcp packets without generating extra state
1071.1Sspz        pass out final family inet6 proto tcp from $wifi_if apply "rid" 
1081.1Sspz        pass out final family inet  proto tcp from $wifi_if apply "rid" 
1091.1Sspz
1101.1Sspz	# all other types of traffic, generate state per packet
1111.1Sspz        pass stateful out final family inet6 from $wifi_if apply "rid" 
1121.1Sspz        pass stateful out final family inet  from $wifi_if apply "rid" 
1131.1Sspz}
1141.1Sspz
1151.1Sspzgroup (default) {
1161.1Sspz	pass final on lo0 all
1171.1Sspz	block all apply "log"
1181.1Sspz}
119