host-npf.conf revision 1.3 
1# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
2#
3# this is an example of NPF rules for a host (i.e., not routing) with
4# two network interfaces, wired and wifi
5#
6# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
7# it also does IPSEC on the wifi
8#
9$wired_if = "wm0"
10$wired_v4 = { inet4(wm0) }
11$wired_v6 = { inet6(wm0) }
12
13$wifi_if = "iwn0"
14$wifi_v4 = { inet4(iwn0) }
15$wifi_v6 = { inet6(iwn0) }
16
17$dhcpserver = { 198.51.100.1 }
18
19# sample udp service
20$services_udp = { ntp }
21
22# sample mixed service
23$backupsrv_v4 = { 198.51.100.11 }
24$backupsrv_v6 = { 2001:0DB8:404::11 }
25$backup_port = { amanda }
26
27# watching a tcpdump of npflog0, when it only logs blocks,
28# can be very helpful for building the rules you actually need
29procedure "log" {
30     log: npflog0
31}
32
33procedure "rid" {
34     normalise: "random-id"
35}
36
37group (name "wired", interface $wired_if) {
38
39	# not being picky about our own address here
40	pass in  final family inet6 proto ipv6-icmp all
41	pass out final family inet6 proto ipv6-icmp all
42	pass in  final family inet  proto icmp      all
43
44	pass in  final family inet proto tcp \
45		from $dhcpserver port bootps to $wired_v4 port bootpc
46	pass in  final family inet proto udp \
47		from $dhcpserver port bootps to $wired_v4 port bootpc
48
49	pass in final family inet6 proto tcp to $wired_v6 port ssh
50
51	pass in final family inet  proto tcp flags S/SA \
52		from $backupsrv_v4 to $wired_v4 port $backup_port 
53	pass in final family inet  proto udp \
54		from $backupsrv_v4 to $wired_v4 port $backup_port
55	pass in final family inet6 proto tcp flags S/SA \
56		from $backupsrv_v6 to $wired_v6 port $backup_port 
57	pass in final family inet6 proto udp \
58		from $backupsrv_v6 to $wired_v6 port $backup_port
59
60	pass stateful in final family inet6 proto udp to $wired_v6 \
61		port $services_udp
62	pass stateful in final family inet  proto udp to $wired_v6 \
63		port $services_udp
64
65	# only SYN packets need to generate state
66	pass stateful out final family inet6 proto tcp flags S/SA \
67		from $wired_v6 apply "rid" 
68	pass stateful out final family inet  proto tcp flags S/SA \
69		from $wired_v4 apply "rid" 
70	# pass the other tcp packets without generating extra state
71	pass out final family inet6 proto tcp from $wired_v6 apply "rid" 
72	pass out final family inet  proto tcp from $wired_v4 apply "rid" 
73
74	# all other types of traffic, generate state per packet
75	pass stateful out final family inet6 from $wired_v6 apply "rid" 
76	pass stateful out final family inet  from $wired_v4 apply "rid" 
77
78}
79
80group (name "wifi", interface $wifi_if) {
81	# linklocal
82	pass in  final family inet6 proto ipv6-icmp  to fe80::/10
83	pass out final family inet6 proto ipv6-icmp from fe80::/10
84
85	# administrative multicasts
86	pass in  final family inet6 proto ipv6-icmp  to ff00::/10
87	pass out final family inet6 proto ipv6-icmp from ff00::/10
88
89	pass in  final family inet6 proto ipv6-icmp to $wifi_v6
90	pass in  final family inet  proto icmp      to $wifi_v6
91
92	pass in  final family inet proto tcp \
93		from any port bootps to $wifi_v4 port bootpc
94	pass in  final family inet proto udp \
95		from any port bootps to $wifi_v4 port bootpc
96
97        pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 
98
99        pass in final family inet6 proto udp to $wifi_v6 port $services_udp
100        pass in final family inet  proto udp to $wifi_v4 port $services_udp
101
102	# IPSEC
103	pass in final family inet6 proto udp to $wifi_v6 port isakmp
104	pass in final family inet  proto udp to $wifi_v4 port isakmp
105	pass in family inet6 proto esp all
106	pass in family inet  proto esp all
107
108	# only SYN packets need to generate state
109        pass stateful out final family inet6 proto tcp flags S/SA \
110		from $wifi_v6 apply "rid" 
111        pass stateful out final family inet  proto tcp flags S/SA \
112		from $wifi_v4 apply "rid" 
113	# pass the other tcp packets without generating extra state
114        pass out final family inet6 proto tcp from $wifi_v6 apply "rid" 
115        pass out final family inet  proto tcp from $wifi_v4 apply "rid" 
116
117	# all other types of traffic, generate state per packet
118        pass stateful out final family inet6 from $wifi_v6 apply "rid" 
119        pass stateful out final family inet  from $wifi_v4 apply "rid" 
120}
121
122group (default) {
123	pass final on lo0 all
124	block all apply "log"
125}
126