host-npf.conf revision 1.3
11.3Sspz# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $ 21.2Sspz# 31.1Sspz# this is an example of NPF rules for a host (i.e., not routing) with 41.1Sspz# two network interfaces, wired and wifi 51.1Sspz# 61.1Sspz# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 71.1Sspz# it also does IPSEC on the wifi 81.1Sspz# 91.1Sspz$wired_if = "wm0" 101.3Sspz$wired_v4 = { inet4(wm0) } 111.3Sspz$wired_v6 = { inet6(wm0) } 121.3Sspz 131.1Sspz$wifi_if = "iwn0" 141.3Sspz$wifi_v4 = { inet4(iwn0) } 151.3Sspz$wifi_v6 = { inet6(iwn0) } 161.1Sspz 171.1Sspz$dhcpserver = { 198.51.100.1 } 181.1Sspz 191.1Sspz# sample udp service 201.1Sspz$services_udp = { ntp } 211.1Sspz 221.1Sspz# sample mixed service 231.1Sspz$backupsrv_v4 = { 198.51.100.11 } 241.1Sspz$backupsrv_v6 = { 2001:0DB8:404::11 } 251.1Sspz$backup_port = { amanda } 261.1Sspz 271.1Sspz# watching a tcpdump of npflog0, when it only logs blocks, 281.1Sspz# can be very helpful for building the rules you actually need 291.1Sspzprocedure "log" { 301.1Sspz log: npflog0 311.1Sspz} 321.1Sspz 331.1Sspzprocedure "rid" { 341.1Sspz normalise: "random-id" 351.1Sspz} 361.1Sspz 371.1Sspzgroup (name "wired", interface $wired_if) { 381.1Sspz 391.1Sspz # not being picky about our own address here 401.1Sspz pass in final family inet6 proto ipv6-icmp all 411.1Sspz pass out final family inet6 proto ipv6-icmp all 421.1Sspz pass in final family inet proto icmp all 431.1Sspz 441.1Sspz pass in final family inet proto tcp \ 451.3Sspz from $dhcpserver port bootps to $wired_v4 port bootpc 461.1Sspz pass in final family inet proto udp \ 471.3Sspz from $dhcpserver port bootps to $wired_v4 port bootpc 481.1Sspz 491.3Sspz pass in final family inet6 proto tcp to $wired_v6 port ssh 501.1Sspz 511.1Sspz pass in final family inet proto tcp flags S/SA \ 521.3Sspz from $backupsrv_v4 to $wired_v4 port $backup_port 531.1Sspz pass in final family inet proto udp \ 541.3Sspz from $backupsrv_v4 to $wired_v4 port $backup_port 551.1Sspz pass in final family inet6 proto tcp flags S/SA \ 561.3Sspz from $backupsrv_v6 to $wired_v6 port $backup_port 571.1Sspz pass in final family inet6 proto udp \ 581.3Sspz from $backupsrv_v6 to $wired_v6 port $backup_port 591.1Sspz 601.3Sspz pass stateful in final family inet6 proto udp to $wired_v6 \ 611.1Sspz port $services_udp 621.3Sspz pass stateful in final family inet proto udp to $wired_v6 \ 631.1Sspz port $services_udp 641.1Sspz 651.1Sspz # only SYN packets need to generate state 661.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 671.3Sspz from $wired_v6 apply "rid" 681.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 691.3Sspz from $wired_v4 apply "rid" 701.1Sspz # pass the other tcp packets without generating extra state 711.3Sspz pass out final family inet6 proto tcp from $wired_v6 apply "rid" 721.3Sspz pass out final family inet proto tcp from $wired_v4 apply "rid" 731.1Sspz 741.1Sspz # all other types of traffic, generate state per packet 751.3Sspz pass stateful out final family inet6 from $wired_v6 apply "rid" 761.3Sspz pass stateful out final family inet from $wired_v4 apply "rid" 771.1Sspz 781.1Sspz} 791.1Sspz 801.1Sspzgroup (name "wifi", interface $wifi_if) { 811.1Sspz # linklocal 821.1Sspz pass in final family inet6 proto ipv6-icmp to fe80::/10 831.1Sspz pass out final family inet6 proto ipv6-icmp from fe80::/10 841.1Sspz 851.1Sspz # administrative multicasts 861.1Sspz pass in final family inet6 proto ipv6-icmp to ff00::/10 871.1Sspz pass out final family inet6 proto ipv6-icmp from ff00::/10 881.1Sspz 891.3Sspz pass in final family inet6 proto ipv6-icmp to $wifi_v6 901.3Sspz pass in final family inet proto icmp to $wifi_v6 911.1Sspz 921.1Sspz pass in final family inet proto tcp \ 931.3Sspz from any port bootps to $wifi_v4 port bootpc 941.1Sspz pass in final family inet proto udp \ 951.3Sspz from any port bootps to $wifi_v4 port bootpc 961.1Sspz 971.3Sspz pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 981.1Sspz 991.3Sspz pass in final family inet6 proto udp to $wifi_v6 port $services_udp 1001.3Sspz pass in final family inet proto udp to $wifi_v4 port $services_udp 1011.1Sspz 1021.1Sspz # IPSEC 1031.3Sspz pass in final family inet6 proto udp to $wifi_v6 port isakmp 1041.3Sspz pass in final family inet proto udp to $wifi_v4 port isakmp 1051.1Sspz pass in family inet6 proto esp all 1061.1Sspz pass in family inet proto esp all 1071.1Sspz 1081.1Sspz # only SYN packets need to generate state 1091.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 1101.3Sspz from $wifi_v6 apply "rid" 1111.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 1121.3Sspz from $wifi_v4 apply "rid" 1131.1Sspz # pass the other tcp packets without generating extra state 1141.3Sspz pass out final family inet6 proto tcp from $wifi_v6 apply "rid" 1151.3Sspz pass out final family inet proto tcp from $wifi_v4 apply "rid" 1161.1Sspz 1171.1Sspz # all other types of traffic, generate state per packet 1181.3Sspz pass stateful out final family inet6 from $wifi_v6 apply "rid" 1191.3Sspz pass stateful out final family inet from $wifi_v4 apply "rid" 1201.1Sspz} 1211.1Sspz 1221.1Sspzgroup (default) { 1231.1Sspz pass final on lo0 all 1241.1Sspz block all apply "log" 1251.1Sspz} 126