1 1.6 riastrad # $NetBSD: l2tp_gw-npf.conf,v 1.6 2016/02/06 20:19:28 riastradh Exp $ 2 1.6 riastrad # 3 1.1 christos # ex0 - (internal) network interface 4 1.5 spz # 192.0.2.254/24 5 1.5 spz # hme0 - (external) connection to Peer 6 1.5 spz # 198.51.100.142/24 7 1.1 christos 8 1.5 spz $int_if = "ex0" 9 1.5 spz $ext_if = "hme0" 10 1.5 spz 11 1.5 spz $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 } 12 1.1 christos 13 1.1 christos alg "icmp" 14 1.1 christos 15 1.1 christos # 16 1.1 christos # NAT for all. 17 1.1 christos # 18 1.5 spz map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if) 19 1.1 christos 20 1.1 christos #table <1> type tree file "/etc/npf_problem_sites" 21 1.1 christos 22 1.1 christos procedure "log" { 23 1.1 christos log: npflog0 24 1.1 christos } 25 1.1 christos 26 1.2 spz group "external" on $ext_if { 27 1.1 christos # 28 1.1 christos # Allow DHCP requests (even to reserved addresses). 29 1.1 christos # 30 1.1 christos pass out final proto udp from any port bootpc to any port bootps 31 1.1 christos pass in final proto udp from any port bootps to any port bootpc 32 1.1 christos pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 33 1.1 christos # 34 1.1 christos # Allow DNS queries 35 1.1 christos # 36 1.1 christos pass stateful out final proto udp to any port domain 37 1.1 christos 38 1.1 christos # Problem sites. 39 1.1 christos #block in final from <1> apply "log" 40 1.1 christos 41 1.1 christos # 42 1.1 christos # Block IANA-reserved addresses from entering or exiting 43 1.1 christos # 44 1.5 spz block in final from $private_addr apply "log" 45 1.5 spz block out final to $private_addr apply "log" 46 1.1 christos # 47 1.1 christos pass stateful out final proto tcp all 48 1.1 christos pass stateful out final proto udp all 49 1.1 christos pass stateful out final proto icmp all 50 1.1 christos pass stateful out final proto ipv6-icmp all 51 1.1 christos 52 1.5 spz block in final proto tcp to 192.0.2.255 apply "log" 53 1.1 christos 54 1.1 christos # 55 1.1 christos # Prevent IP spoofing attacks on the firewall. 56 1.1 christos # 57 1.1 christos block in final from 127.0.0.1 apply "log" 58 1.1 christos 59 1.1 christos # 60 1.1 christos # L2TP/IPSEC-NAT-T Tunnels. 61 1.1 christos # 62 1.4 christos pass in final proto esp from any to inet4($ext_if) 63 1.4 christos pass out final proto esp from inet4($ext_if) to any 64 1.3 christos pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" 65 1.3 christos pass stateful in final from any to inet4($ext_if) port l2tp 66 1.1 christos 67 1.1 christos # 68 1.1 christos # Pass multicast. 69 1.1 christos # IGMP uses 224.0.0.1. 70 1.1 christos # 71 1.1 christos pass in final proto igmp all 72 1.1 christos pass in final from any to 224.0.0.0/4 73 1.1 christos 74 1.1 christos # 75 1.1 christos # Pass established connections. 76 1.1 christos # 77 1.1 christos pass in final proto tcp flags A/A all 78 1.1 christos pass in final proto tcp flags R/R all 79 1.1 christos # 80 1.1 christos # VNC 81 1.1 christos # 82 1.1 christos pass in final proto tcp from any to any port 5500 83 1.1 christos 84 1.1 christos # 85 1.1 christos # Web servers 86 1.1 christos # 87 1.1 christos #pass in final proto tcp from any to <A>/<M> port http 88 1.1 christos 89 1.1 christos # 90 1.1 christos # Services on localhost. 91 1.1 christos # 92 1.1 christos #pass in final proto udp from any port ntp 93 1.1 christos #pass in final to any port imap 94 1.1 christos #pass in final to any port domain 95 1.1 christos #pass in final proto tcp to any port smtp 96 1.1 christos #pass in final proto tcp to any port auth 97 1.1 christos #pass in final proto tcp to any port ssh 98 1.1 christos #pass in final proto tcp to any port bgp 99 1.1 christos #pass in final proto tcp to any port ftp 100 1.1 christos #pass in final proto tcp to any port "ftp-data" 101 1.1 christos #pass in final proto udp to any port isakmp 102 1.1 christos #pass in final proto udp to any port 8001 103 1.1 christos #pass in final proto tcp to inet4($ext_if) port www 104 1.1 christos 105 1.1 christos # 106 1.1 christos # Handle traceroute gracefully for up-to 30 hops away. 107 1.1 christos # FIXME: port-unr for ICMP is not yet supported. 108 1.1 christos # 109 1.1 christos block return-icmp in final proto udp to any port 33433-33524 apply "log" 110 1.1 christos 111 1.1 christos # 112 1.1 christos # Only allow selected ICMP types. 113 1.1 christos # 114 1.1 christos pass in final proto icmp icmp-type echo all 115 1.1 christos pass in final proto icmp icmp-type timxceed all 116 1.1 christos pass in final proto icmp icmp-type unreach all 117 1.1 christos pass in final proto icmp icmp-type echoreply all 118 1.1 christos pass in final proto icmp icmp-type sourcequench all 119 1.1 christos pass in final proto icmp icmp-type paramprob all 120 1.1 christos pass in final proto ipv6-icmp all 121 1.1 christos 122 1.1 christos # 123 1.1 christos # Send back a reset for new connections on tcp. 124 1.1 christos # 125 1.1 christos block return-rst in final proto tcp flags S/SA all apply "log" 126 1.1 christos } 127 1.1 christos 128 1.2 spz group "internal" on $int_if { 129 1.1 christos # Pass everything to internal networks, 130 1.1 christos # should be ok, because we are nat'ed. 131 1.1 christos pass final all 132 1.1 christos } 133 1.1 christos 134 1.2 spz group default { 135 1.1 christos # Loopback interface should allows packets to traverse it. 136 1.1 christos pass final on lo0 all 137 1.1 christos # For one L2TP tunnel, needs interface pre-created, post-destroyed 138 1.1 christos pass final on ppp0 all 139 1.1 christos 140 1.1 christos # 141 1.1 christos # Block everything by default. 142 1.1 christos # 143 1.1 christos block final all apply "log" 144 1.1 christos } 145
Indexes created Sat Oct 11 16:09:52 GMT 2025