host-npf.conf revision 1.4
11.4Srmind# $NetBSD: host-npf.conf,v 1.4 2012/12/09 22:12:26 rmind Exp $ 21.2Sspz# 31.1Sspz# this is an example of NPF rules for a host (i.e., not routing) with 41.1Sspz# two network interfaces, wired and wifi 51.1Sspz# 61.1Sspz# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 71.1Sspz# it also does IPSEC on the wifi 81.1Sspz# 91.4Srmind 101.1Sspz$wired_if = "wm0" 111.3Sspz$wired_v4 = { inet4(wm0) } 121.3Sspz$wired_v6 = { inet6(wm0) } 131.3Sspz 141.1Sspz$wifi_if = "iwn0" 151.3Sspz$wifi_v4 = { inet4(iwn0) } 161.3Sspz$wifi_v6 = { inet6(iwn0) } 171.1Sspz 181.1Sspz$dhcpserver = { 198.51.100.1 } 191.1Sspz 201.1Sspz# sample udp service 211.1Sspz$services_udp = { ntp } 221.1Sspz 231.1Sspz# sample mixed service 241.1Sspz$backupsrv_v4 = { 198.51.100.11 } 251.1Sspz$backupsrv_v6 = { 2001:0DB8:404::11 } 261.1Sspz$backup_port = { amanda } 271.1Sspz 281.1Sspz# watching a tcpdump of npflog0, when it only logs blocks, 291.1Sspz# can be very helpful for building the rules you actually need 301.1Sspzprocedure "log" { 311.1Sspz log: npflog0 321.1Sspz} 331.1Sspz 341.1Sspzgroup (name "wired", interface $wired_if) { 351.1Sspz 361.1Sspz # not being picky about our own address here 371.1Sspz pass in final family inet6 proto ipv6-icmp all 381.1Sspz pass out final family inet6 proto ipv6-icmp all 391.1Sspz pass in final family inet proto icmp all 401.1Sspz 411.1Sspz pass in final family inet proto tcp \ 421.3Sspz from $dhcpserver port bootps to $wired_v4 port bootpc 431.1Sspz pass in final family inet proto udp \ 441.3Sspz from $dhcpserver port bootps to $wired_v4 port bootpc 451.1Sspz 461.3Sspz pass in final family inet6 proto tcp to $wired_v6 port ssh 471.1Sspz 481.1Sspz pass in final family inet proto tcp flags S/SA \ 491.3Sspz from $backupsrv_v4 to $wired_v4 port $backup_port 501.1Sspz pass in final family inet proto udp \ 511.3Sspz from $backupsrv_v4 to $wired_v4 port $backup_port 521.1Sspz pass in final family inet6 proto tcp flags S/SA \ 531.3Sspz from $backupsrv_v6 to $wired_v6 port $backup_port 541.1Sspz pass in final family inet6 proto udp \ 551.3Sspz from $backupsrv_v6 to $wired_v6 port $backup_port 561.1Sspz 571.3Sspz pass stateful in final family inet6 proto udp to $wired_v6 \ 581.1Sspz port $services_udp 591.3Sspz pass stateful in final family inet proto udp to $wired_v6 \ 601.1Sspz port $services_udp 611.1Sspz 621.1Sspz # only SYN packets need to generate state 631.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 641.4Srmind from $wired_v6 651.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 661.4Srmind from $wired_v4 671.1Sspz # pass the other tcp packets without generating extra state 681.4Srmind pass out final family inet6 proto tcp from $wired_v6 691.4Srmind pass out final family inet proto tcp from $wired_v4 701.1Sspz 711.1Sspz # all other types of traffic, generate state per packet 721.4Srmind pass stateful out final family inet6 from $wired_v6 731.4Srmind pass stateful out final family inet from $wired_v4 741.1Sspz 751.1Sspz} 761.1Sspz 771.1Sspzgroup (name "wifi", interface $wifi_if) { 781.1Sspz # linklocal 791.1Sspz pass in final family inet6 proto ipv6-icmp to fe80::/10 801.1Sspz pass out final family inet6 proto ipv6-icmp from fe80::/10 811.1Sspz 821.1Sspz # administrative multicasts 831.1Sspz pass in final family inet6 proto ipv6-icmp to ff00::/10 841.1Sspz pass out final family inet6 proto ipv6-icmp from ff00::/10 851.1Sspz 861.3Sspz pass in final family inet6 proto ipv6-icmp to $wifi_v6 871.3Sspz pass in final family inet proto icmp to $wifi_v6 881.1Sspz 891.1Sspz pass in final family inet proto tcp \ 901.3Sspz from any port bootps to $wifi_v4 port bootpc 911.1Sspz pass in final family inet proto udp \ 921.3Sspz from any port bootps to $wifi_v4 port bootpc 931.1Sspz 941.3Sspz pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 951.1Sspz 961.3Sspz pass in final family inet6 proto udp to $wifi_v6 port $services_udp 971.3Sspz pass in final family inet proto udp to $wifi_v4 port $services_udp 981.1Sspz 991.1Sspz # IPSEC 1001.3Sspz pass in final family inet6 proto udp to $wifi_v6 port isakmp 1011.3Sspz pass in final family inet proto udp to $wifi_v4 port isakmp 1021.1Sspz pass in family inet6 proto esp all 1031.1Sspz pass in family inet proto esp all 1041.1Sspz 1051.1Sspz # only SYN packets need to generate state 1061.1Sspz pass stateful out final family inet6 proto tcp flags S/SA \ 1071.4Srmind from $wifi_v6 1081.1Sspz pass stateful out final family inet proto tcp flags S/SA \ 1091.4Srmind from $wifi_v4 1101.1Sspz # pass the other tcp packets without generating extra state 1111.4Srmind pass out final family inet6 proto tcp from $wifi_v6 1121.4Srmind pass out final family inet proto tcp from $wifi_v4 1131.1Sspz 1141.1Sspz # all other types of traffic, generate state per packet 1151.4Srmind pass stateful out final family inet6 from $wifi_v6 1161.4Srmind pass stateful out final family inet from $wifi_v4 1171.1Sspz} 1181.1Sspz 1191.1Sspzgroup (default) { 1201.1Sspz pass final on lo0 all 1211.1Sspz block all apply "log" 1221.1Sspz} 123