l2tp_gw-npf.conf revision 1.2.4.2
1 1.2.4.2 yamt # ex0 - (internal) network interface 2 1.2.4.2 yamt # 192.168.2.254/24 3 1.2.4.2 yamt # hme0 - (external) connection to Two Sigma 4 1.2.4.2 yamt # 74.66.0.142/24 5 1.2.4.2 yamt 6 1.2.4.2 yamt $int_if = "sk0" 7 1.2.4.2 yamt $ext_if = "bge0" 8 1.2.4.2 yamt 9 1.2.4.2 yamt alg "icmp" 10 1.2.4.2 yamt 11 1.2.4.2 yamt # 12 1.2.4.2 yamt # NAT for all. 13 1.2.4.2 yamt # 14 1.2.4.2 yamt map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if) 15 1.2.4.2 yamt 16 1.2.4.2 yamt #table <1> type tree file "/etc/npf_problem_sites" 17 1.2.4.2 yamt 18 1.2.4.2 yamt procedure "log" { 19 1.2.4.2 yamt log: npflog0 20 1.2.4.2 yamt } 21 1.2.4.2 yamt 22 1.2.4.2 yamt group "external" on $ext_if { 23 1.2.4.2 yamt # 24 1.2.4.2 yamt # Allow DHCP requests (even to reserved addresses). 25 1.2.4.2 yamt # 26 1.2.4.2 yamt pass out final proto udp from any port bootpc to any port bootps 27 1.2.4.2 yamt pass in final proto udp from any port bootps to any port bootpc 28 1.2.4.2 yamt pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 29 1.2.4.2 yamt # 30 1.2.4.2 yamt # Allow DNS queries 31 1.2.4.2 yamt # 32 1.2.4.2 yamt pass stateful out final proto udp to any port domain 33 1.2.4.2 yamt 34 1.2.4.2 yamt # Problem sites. 35 1.2.4.2 yamt #block in final from <1> apply "log" 36 1.2.4.2 yamt 37 1.2.4.2 yamt # 38 1.2.4.2 yamt # Block IANA-reserved addresses from entering or exiting 39 1.2.4.2 yamt # 40 1.2.4.2 yamt block in final from 10.0.0.0/8 apply "log" 41 1.2.4.2 yamt block in final from 172.16.0.0/12 apply "log" 42 1.2.4.2 yamt block in final from 192.168.0.0/16 apply "log" 43 1.2.4.2 yamt # 44 1.2.4.2 yamt block out final to 10.0.0.0/8 apply "log" 45 1.2.4.2 yamt block out final to 172.16.0.0/12 apply "log" 46 1.2.4.2 yamt block out final to 192.168.0.0/16 apply "log" 47 1.2.4.2 yamt # 48 1.2.4.2 yamt pass stateful out final proto tcp all 49 1.2.4.2 yamt pass stateful out final proto udp all 50 1.2.4.2 yamt pass stateful out final proto icmp all 51 1.2.4.2 yamt pass stateful out final proto ipv6-icmp all 52 1.2.4.2 yamt 53 1.2.4.2 yamt block in final proto tcp to 192.168.2.255 apply "log" 54 1.2.4.2 yamt 55 1.2.4.2 yamt # 56 1.2.4.2 yamt # Prevent IP spoofing attacks on the firewall. 57 1.2.4.2 yamt # 58 1.2.4.2 yamt block in final from 127.0.0.1 apply "log" 59 1.2.4.2 yamt 60 1.2.4.2 yamt # 61 1.2.4.2 yamt # L2TP/IPSEC-NAT-T Tunnels. 62 1.2.4.2 yamt # 63 1.2.4.2 yamt pass in final proto udp from any to inet4($ext_if) port isakmp 64 1.2.4.2 yamt pass in final proto esp from any to inet4($ext_if) 65 1.2.4.2 yamt pass out final proto esp from any to inet4($ext_if) 66 1.2.4.2 yamt pass in final proto ah from any to inet4($ext_if) 67 1.2.4.2 yamt pass in final from any to inet4($ext_if) port "ipsec-nat-t" 68 1.2.4.2 yamt 69 1.2.4.2 yamt # 70 1.2.4.2 yamt # Pass multicast. 71 1.2.4.2 yamt # IGMP uses 224.0.0.1. 72 1.2.4.2 yamt # 73 1.2.4.2 yamt pass in final proto igmp all 74 1.2.4.2 yamt pass in final from any to 224.0.0.0/4 75 1.2.4.2 yamt 76 1.2.4.2 yamt # 77 1.2.4.2 yamt # Pass established connections. 78 1.2.4.2 yamt # 79 1.2.4.2 yamt pass in final proto tcp flags A/A all 80 1.2.4.2 yamt pass in final proto tcp flags R/R all 81 1.2.4.2 yamt # 82 1.2.4.2 yamt # VNC 83 1.2.4.2 yamt # 84 1.2.4.2 yamt pass in final proto tcp from any to any port 5500 85 1.2.4.2 yamt 86 1.2.4.2 yamt # 87 1.2.4.2 yamt # Web servers 88 1.2.4.2 yamt # 89 1.2.4.2 yamt #pass in final proto tcp from any to <A>/<M> port http 90 1.2.4.2 yamt 91 1.2.4.2 yamt # 92 1.2.4.2 yamt # Services on localhost. 93 1.2.4.2 yamt # 94 1.2.4.2 yamt #pass in final proto udp from any port ntp 95 1.2.4.2 yamt #pass in final to any port imap 96 1.2.4.2 yamt #pass in final to any port domain 97 1.2.4.2 yamt #pass in final proto tcp to any port smtp 98 1.2.4.2 yamt #pass in final proto tcp to any port auth 99 1.2.4.2 yamt #pass in final proto tcp to any port ssh 100 1.2.4.2 yamt #pass in final proto tcp to any port bgp 101 1.2.4.2 yamt #pass in final proto tcp to any port ftp 102 1.2.4.2 yamt #pass in final proto tcp to any port "ftp-data" 103 1.2.4.2 yamt #pass in final proto udp to any port isakmp 104 1.2.4.2 yamt #pass in final proto udp to any port 8001 105 1.2.4.2 yamt #pass in final proto tcp to inet4($ext_if) port www 106 1.2.4.2 yamt 107 1.2.4.2 yamt # 108 1.2.4.2 yamt # Handle traceroute gracefully for up-to 30 hops away. 109 1.2.4.2 yamt # FIXME: port-unr for ICMP is not yet supported. 110 1.2.4.2 yamt # 111 1.2.4.2 yamt block return-icmp in final proto udp to any port 33433-33524 apply "log" 112 1.2.4.2 yamt 113 1.2.4.2 yamt # 114 1.2.4.2 yamt # Only allow selected ICMP types. 115 1.2.4.2 yamt # 116 1.2.4.2 yamt pass in final proto icmp icmp-type echo all 117 1.2.4.2 yamt pass in final proto icmp icmp-type timxceed all 118 1.2.4.2 yamt pass in final proto icmp icmp-type unreach all 119 1.2.4.2 yamt pass in final proto icmp icmp-type echoreply all 120 1.2.4.2 yamt pass in final proto icmp icmp-type sourcequench all 121 1.2.4.2 yamt pass in final proto icmp icmp-type paramprob all 122 1.2.4.2 yamt pass in final proto ipv6-icmp all 123 1.2.4.2 yamt 124 1.2.4.2 yamt # 125 1.2.4.2 yamt # Send back a reset for new connections on tcp. 126 1.2.4.2 yamt # 127 1.2.4.2 yamt block return-rst in final proto tcp flags S/SA all apply "log" 128 1.2.4.2 yamt } 129 1.2.4.2 yamt 130 1.2.4.2 yamt group "internal" on $int_if { 131 1.2.4.2 yamt # Pass everything to internal networks, 132 1.2.4.2 yamt # should be ok, because we are nat'ed. 133 1.2.4.2 yamt pass final all 134 1.2.4.2 yamt } 135 1.2.4.2 yamt 136 1.2.4.2 yamt group default { 137 1.2.4.2 yamt # Loopback interface should allows packets to traverse it. 138 1.2.4.2 yamt pass final on lo0 all 139 1.2.4.2 yamt # For one L2TP tunnel, needs interface pre-created, post-destroyed 140 1.2.4.2 yamt pass final on ppp0 all 141 1.2.4.2 yamt 142 1.2.4.2 yamt # 143 1.2.4.2 yamt # Block everything by default. 144 1.2.4.2 yamt # 145 1.2.4.2 yamt block final all apply "log" 146 1.2.4.2 yamt } 147
Indexes created Tue Oct 14 15:09:51 GMT 2025