host-npf.conf revision 1.2
11.2Sspz# $NetBSD: host-npf.conf,v 1.2 2012/08/22 06:45:17 spz Exp $ 21.2Sspz# 31.1Sspz# this is an example of NPF rules for a host (i.e., not routing) with 41.1Sspz# two network interfaces, wired and wifi 51.1Sspz# 61.1Sspz# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 71.1Sspz# it also does IPSEC on the wifi 81.1Sspz# 91.1Sspz$wired_if = "wm0" 101.1Sspz$wifi_if = "iwn0" 111.1Sspz 121.1Sspz$dhcpserver = { 198.51.100.1 } 131.1Sspz 141.1Sspz# sample udp service 151.1Sspz$services_udp = { ntp } 161.1Sspz 171.1Sspz# sample mixed service 181.1Sspz$backupsrv_v4 = { 198.51.100.11 } 191.1Sspz$backupsrv_v6 = { 2001:0DB8:404::11 } 201.1Sspz$backup_port = { amanda } 211.1Sspz 221.1Sspz# watching a tcpdump of npflog0, when it only logs blocks, 231.1Sspz# can be very helpful for building the rules you actually need 241.1Sspzprocedure "log" { 251.1Sspz log: npflog0 261.1Sspz} 271.1Sspz 281.1Sspzprocedure "rid" { 291.1Sspz normalise: "random-id" 301.1Sspz} 311.1Sspz 321.1Sspzgroup (name "wired", interface $wired_if) { 331.1Sspz 341.1Sspz # not being picky about our own address here 351.1Sspz pass in final family inet6 proto ipv6-icmp all 361.1Sspz pass out final family inet6 proto ipv6-icmp all 371.1Sspz pass in final family inet proto icmp all 381.1Sspz 391.1Sspz pass in final family inet proto tcp \ 401.1Sspz from $dhcpserver port bootps to $wired_if port bootpc 411.1Sspz pass in final family inet proto udp \ 421.1Sspz from $dhcpserver port bootps to $wired_if port bootpc 431.1Sspz 441.1Sspz pass in final family inet6 proto tcp to $wired_if port ssh 451.1Sspz 461.1Sspz pass in final family inet proto tcp flags S/SA \ 471.1Sspz from $backupsrv_v4 to $wired_if port $backup_port 481.1Sspz pass in final family inet proto udp \ 491.1Sspz from $backupsrv_v4 to $wired_if port $backup_port 501.1Sspz pass in final family inet6 proto tcp flags S/SA \ 511.1Sspz from $backupsrv_v6 to $wired_if port $backup_port 521.1Sspz pass in final family inet6 proto udp \ 531.1Sspz from $backupsrv_v6 to $wired_if port $backup_port 541.1Sspz 551.1Sspz pass stateful in final family inet6 proto udp to $wired_if \ 561.1Sspz port $services_udp 571.1Sspz pass stateful in final family inet proto udp to $wired_if \ 581.1Sspz port $services_udp 591.1Sspz 601.1Sspz # only SYN packets need to generate state 611.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 621.1Sspz from $wired_if apply "rid" 631.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 641.1Sspz from $wired_if apply "rid" 651.1Sspz # pass the other tcp packets without generating extra state 661.1Sspz pass out final family inet6 proto tcp from $wired_if apply "rid" 671.1Sspz pass out final family inet proto tcp from $wired_if apply "rid" 681.1Sspz 691.1Sspz # all other types of traffic, generate state per packet 701.1Sspz pass stateful out final family inet6 from $wired_if apply "rid" 711.1Sspz pass stateful out final family inet from $wired_if apply "rid" 721.1Sspz 731.1Sspz} 741.1Sspz 751.1Sspzgroup (name "wifi", interface $wifi_if) { 761.1Sspz # linklocal 771.1Sspz pass in final family inet6 proto ipv6-icmp to fe80::/10 781.1Sspz pass out final family inet6 proto ipv6-icmp from fe80::/10 791.1Sspz 801.1Sspz # administrative multicasts 811.1Sspz pass in final family inet6 proto ipv6-icmp to ff00::/10 821.1Sspz pass out final family inet6 proto ipv6-icmp from ff00::/10 831.1Sspz 841.1Sspz pass in final family inet6 proto ipv6-icmp to $wifi_if 851.1Sspz pass in final family inet proto icmp to $wifi_if 861.1Sspz 871.1Sspz pass in final family inet proto tcp \ 881.1Sspz from any port bootps to $wifi_if port bootpc 891.1Sspz pass in final family inet proto udp \ 901.1Sspz from any port bootps to $wifi_if port bootpc 911.1Sspz 921.1Sspz pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh 931.1Sspz 941.1Sspz pass in final family inet6 proto udp to $wifi_if port $services_udp 951.1Sspz pass in final family inet proto udp to $wifi_if port $services_udp 961.1Sspz 971.1Sspz # IPSEC 981.1Sspz pass in final family inet6 proto udp to $wifi_if port isakmp 991.1Sspz pass in final family inet proto udp to $wifi_if port isakmp 1001.1Sspz pass in family inet6 proto esp all 1011.1Sspz pass in family inet proto esp all 1021.1Sspz 1031.1Sspz # only SYN packets need to generate state 1041.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 1051.1Sspz from $wifi_if apply "rid" 1061.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 1071.1Sspz from $wifi_if apply "rid" 1081.1Sspz # pass the other tcp packets without generating extra state 1091.1Sspz pass out final family inet6 proto tcp from $wifi_if apply "rid" 1101.1Sspz pass out final family inet proto tcp from $wifi_if apply "rid" 1111.1Sspz 1121.1Sspz # all other types of traffic, generate state per packet 1131.1Sspz pass stateful out final family inet6 from $wifi_if apply "rid" 1141.1Sspz pass stateful out final family inet from $wifi_if apply "rid" 1151.1Sspz} 1161.1Sspz 1171.1Sspzgroup (default) { 1181.1Sspz pass final on lo0 all 1191.1Sspz block all apply "log" 1201.1Sspz} 121