l2tp_gw-npf.conf revision 1.4
1 1.1 christos # ex0 - (internal) network interface 2 1.1 christos # 192.168.2.254/24 3 1.1 christos # hme0 - (external) connection to Two Sigma 4 1.1 christos # 74.66.0.142/24 5 1.1 christos 6 1.1 christos $int_if = "sk0" 7 1.1 christos $ext_if = "bge0" 8 1.1 christos 9 1.1 christos alg "icmp" 10 1.1 christos 11 1.1 christos # 12 1.1 christos # NAT for all. 13 1.1 christos # 14 1.1 christos map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if) 15 1.1 christos 16 1.1 christos #table <1> type tree file "/etc/npf_problem_sites" 17 1.1 christos 18 1.1 christos procedure "log" { 19 1.1 christos log: npflog0 20 1.1 christos } 21 1.1 christos 22 1.2 spz group "external" on $ext_if { 23 1.1 christos # 24 1.1 christos # Allow DHCP requests (even to reserved addresses). 25 1.1 christos # 26 1.1 christos pass out final proto udp from any port bootpc to any port bootps 27 1.1 christos pass in final proto udp from any port bootps to any port bootpc 28 1.1 christos pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 29 1.1 christos # 30 1.1 christos # Allow DNS queries 31 1.1 christos # 32 1.1 christos pass stateful out final proto udp to any port domain 33 1.1 christos 34 1.1 christos # Problem sites. 35 1.1 christos #block in final from <1> apply "log" 36 1.1 christos 37 1.1 christos # 38 1.1 christos # Block IANA-reserved addresses from entering or exiting 39 1.1 christos # 40 1.1 christos block in final from 10.0.0.0/8 apply "log" 41 1.1 christos block in final from 172.16.0.0/12 apply "log" 42 1.1 christos block in final from 192.168.0.0/16 apply "log" 43 1.1 christos # 44 1.1 christos block out final to 10.0.0.0/8 apply "log" 45 1.1 christos block out final to 172.16.0.0/12 apply "log" 46 1.1 christos block out final to 192.168.0.0/16 apply "log" 47 1.1 christos # 48 1.1 christos pass stateful out final proto tcp all 49 1.1 christos pass stateful out final proto udp all 50 1.1 christos pass stateful out final proto icmp all 51 1.1 christos pass stateful out final proto ipv6-icmp all 52 1.1 christos 53 1.1 christos block in final proto tcp to 192.168.2.255 apply "log" 54 1.1 christos 55 1.1 christos # 56 1.1 christos # Prevent IP spoofing attacks on the firewall. 57 1.1 christos # 58 1.1 christos block in final from 127.0.0.1 apply "log" 59 1.1 christos 60 1.1 christos # 61 1.1 christos # L2TP/IPSEC-NAT-T Tunnels. 62 1.1 christos # 63 1.4 christos pass in final proto esp from any to inet4($ext_if) 64 1.4 christos pass out final proto esp from inet4($ext_if) to any 65 1.3 christos pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" 66 1.3 christos pass stateful in final from any to inet4($ext_if) port l2tp 67 1.1 christos 68 1.1 christos # 69 1.1 christos # Pass multicast. 70 1.1 christos # IGMP uses 224.0.0.1. 71 1.1 christos # 72 1.1 christos pass in final proto igmp all 73 1.1 christos pass in final from any to 224.0.0.0/4 74 1.1 christos 75 1.1 christos # 76 1.1 christos # Pass established connections. 77 1.1 christos # 78 1.1 christos pass in final proto tcp flags A/A all 79 1.1 christos pass in final proto tcp flags R/R all 80 1.1 christos # 81 1.1 christos # VNC 82 1.1 christos # 83 1.1 christos pass in final proto tcp from any to any port 5500 84 1.1 christos 85 1.1 christos # 86 1.1 christos # Web servers 87 1.1 christos # 88 1.1 christos #pass in final proto tcp from any to <A>/<M> port http 89 1.1 christos 90 1.1 christos # 91 1.1 christos # Services on localhost. 92 1.1 christos # 93 1.1 christos #pass in final proto udp from any port ntp 94 1.1 christos #pass in final to any port imap 95 1.1 christos #pass in final to any port domain 96 1.1 christos #pass in final proto tcp to any port smtp 97 1.1 christos #pass in final proto tcp to any port auth 98 1.1 christos #pass in final proto tcp to any port ssh 99 1.1 christos #pass in final proto tcp to any port bgp 100 1.1 christos #pass in final proto tcp to any port ftp 101 1.1 christos #pass in final proto tcp to any port "ftp-data" 102 1.1 christos #pass in final proto udp to any port isakmp 103 1.1 christos #pass in final proto udp to any port 8001 104 1.1 christos #pass in final proto tcp to inet4($ext_if) port www 105 1.1 christos 106 1.1 christos # 107 1.1 christos # Handle traceroute gracefully for up-to 30 hops away. 108 1.1 christos # FIXME: port-unr for ICMP is not yet supported. 109 1.1 christos # 110 1.1 christos block return-icmp in final proto udp to any port 33433-33524 apply "log" 111 1.1 christos 112 1.1 christos # 113 1.1 christos # Only allow selected ICMP types. 114 1.1 christos # 115 1.1 christos pass in final proto icmp icmp-type echo all 116 1.1 christos pass in final proto icmp icmp-type timxceed all 117 1.1 christos pass in final proto icmp icmp-type unreach all 118 1.1 christos pass in final proto icmp icmp-type echoreply all 119 1.1 christos pass in final proto icmp icmp-type sourcequench all 120 1.1 christos pass in final proto icmp icmp-type paramprob all 121 1.1 christos pass in final proto ipv6-icmp all 122 1.1 christos 123 1.1 christos # 124 1.1 christos # Send back a reset for new connections on tcp. 125 1.1 christos # 126 1.1 christos block return-rst in final proto tcp flags S/SA all apply "log" 127 1.1 christos } 128 1.1 christos 129 1.2 spz group "internal" on $int_if { 130 1.1 christos # Pass everything to internal networks, 131 1.1 christos # should be ok, because we are nat'ed. 132 1.1 christos pass final all 133 1.1 christos } 134 1.1 christos 135 1.2 spz group default { 136 1.1 christos # Loopback interface should allows packets to traverse it. 137 1.1 christos pass final on lo0 all 138 1.1 christos # For one L2TP tunnel, needs interface pre-created, post-destroyed 139 1.1 christos pass final on ppp0 all 140 1.1 christos 141 1.1 christos # 142 1.1 christos # Block everything by default. 143 1.1 christos # 144 1.1 christos block final all apply "log" 145 1.1 christos } 146
Indexes created Tue Oct 14 00:09:49 GMT 2025