l2tp_gw-npf.conf revision 1.5.4.2
1 1.5.4.2 tls # ex0 - (internal) network interface 2 1.5.4.2 tls # 192.0.2.254/24 3 1.5.4.2 tls # hme0 - (external) connection to Peer 4 1.5.4.2 tls # 198.51.100.142/24 5 1.5.4.2 tls 6 1.5.4.2 tls $int_if = "ex0" 7 1.5.4.2 tls $ext_if = "hme0" 8 1.5.4.2 tls 9 1.5.4.2 tls $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 } 10 1.5.4.2 tls 11 1.5.4.2 tls alg "icmp" 12 1.5.4.2 tls 13 1.5.4.2 tls # 14 1.5.4.2 tls # NAT for all. 15 1.5.4.2 tls # 16 1.5.4.2 tls map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if) 17 1.5.4.2 tls 18 1.5.4.2 tls #table <1> type tree file "/etc/npf_problem_sites" 19 1.5.4.2 tls 20 1.5.4.2 tls procedure "log" { 21 1.5.4.2 tls log: npflog0 22 1.5.4.2 tls } 23 1.5.4.2 tls 24 1.5.4.2 tls group "external" on $ext_if { 25 1.5.4.2 tls # 26 1.5.4.2 tls # Allow DHCP requests (even to reserved addresses). 27 1.5.4.2 tls # 28 1.5.4.2 tls pass out final proto udp from any port bootpc to any port bootps 29 1.5.4.2 tls pass in final proto udp from any port bootps to any port bootpc 30 1.5.4.2 tls pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 31 1.5.4.2 tls # 32 1.5.4.2 tls # Allow DNS queries 33 1.5.4.2 tls # 34 1.5.4.2 tls pass stateful out final proto udp to any port domain 35 1.5.4.2 tls 36 1.5.4.2 tls # Problem sites. 37 1.5.4.2 tls #block in final from <1> apply "log" 38 1.5.4.2 tls 39 1.5.4.2 tls # 40 1.5.4.2 tls # Block IANA-reserved addresses from entering or exiting 41 1.5.4.2 tls # 42 1.5.4.2 tls block in final from $private_addr apply "log" 43 1.5.4.2 tls block out final to $private_addr apply "log" 44 1.5.4.2 tls # 45 1.5.4.2 tls pass stateful out final proto tcp all 46 1.5.4.2 tls pass stateful out final proto udp all 47 1.5.4.2 tls pass stateful out final proto icmp all 48 1.5.4.2 tls pass stateful out final proto ipv6-icmp all 49 1.5.4.2 tls 50 1.5.4.2 tls block in final proto tcp to 192.0.2.255 apply "log" 51 1.5.4.2 tls 52 1.5.4.2 tls # 53 1.5.4.2 tls # Prevent IP spoofing attacks on the firewall. 54 1.5.4.2 tls # 55 1.5.4.2 tls block in final from 127.0.0.1 apply "log" 56 1.5.4.2 tls 57 1.5.4.2 tls # 58 1.5.4.2 tls # L2TP/IPSEC-NAT-T Tunnels. 59 1.5.4.2 tls # 60 1.5.4.2 tls pass in final proto esp from any to inet4($ext_if) 61 1.5.4.2 tls pass out final proto esp from inet4($ext_if) to any 62 1.5.4.2 tls pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" 63 1.5.4.2 tls pass stateful in final from any to inet4($ext_if) port l2tp 64 1.5.4.2 tls 65 1.5.4.2 tls # 66 1.5.4.2 tls # Pass multicast. 67 1.5.4.2 tls # IGMP uses 224.0.0.1. 68 1.5.4.2 tls # 69 1.5.4.2 tls pass in final proto igmp all 70 1.5.4.2 tls pass in final from any to 224.0.0.0/4 71 1.5.4.2 tls 72 1.5.4.2 tls # 73 1.5.4.2 tls # Pass established connections. 74 1.5.4.2 tls # 75 1.5.4.2 tls pass in final proto tcp flags A/A all 76 1.5.4.2 tls pass in final proto tcp flags R/R all 77 1.5.4.2 tls # 78 1.5.4.2 tls # VNC 79 1.5.4.2 tls # 80 1.5.4.2 tls pass in final proto tcp from any to any port 5500 81 1.5.4.2 tls 82 1.5.4.2 tls # 83 1.5.4.2 tls # Web servers 84 1.5.4.2 tls # 85 1.5.4.2 tls #pass in final proto tcp from any to <A>/<M> port http 86 1.5.4.2 tls 87 1.5.4.2 tls # 88 1.5.4.2 tls # Services on localhost. 89 1.5.4.2 tls # 90 1.5.4.2 tls #pass in final proto udp from any port ntp 91 1.5.4.2 tls #pass in final to any port imap 92 1.5.4.2 tls #pass in final to any port domain 93 1.5.4.2 tls #pass in final proto tcp to any port smtp 94 1.5.4.2 tls #pass in final proto tcp to any port auth 95 1.5.4.2 tls #pass in final proto tcp to any port ssh 96 1.5.4.2 tls #pass in final proto tcp to any port bgp 97 1.5.4.2 tls #pass in final proto tcp to any port ftp 98 1.5.4.2 tls #pass in final proto tcp to any port "ftp-data" 99 1.5.4.2 tls #pass in final proto udp to any port isakmp 100 1.5.4.2 tls #pass in final proto udp to any port 8001 101 1.5.4.2 tls #pass in final proto tcp to inet4($ext_if) port www 102 1.5.4.2 tls 103 1.5.4.2 tls # 104 1.5.4.2 tls # Handle traceroute gracefully for up-to 30 hops away. 105 1.5.4.2 tls # FIXME: port-unr for ICMP is not yet supported. 106 1.5.4.2 tls # 107 1.5.4.2 tls block return-icmp in final proto udp to any port 33433-33524 apply "log" 108 1.5.4.2 tls 109 1.5.4.2 tls # 110 1.5.4.2 tls # Only allow selected ICMP types. 111 1.5.4.2 tls # 112 1.5.4.2 tls pass in final proto icmp icmp-type echo all 113 1.5.4.2 tls pass in final proto icmp icmp-type timxceed all 114 1.5.4.2 tls pass in final proto icmp icmp-type unreach all 115 1.5.4.2 tls pass in final proto icmp icmp-type echoreply all 116 1.5.4.2 tls pass in final proto icmp icmp-type sourcequench all 117 1.5.4.2 tls pass in final proto icmp icmp-type paramprob all 118 1.5.4.2 tls pass in final proto ipv6-icmp all 119 1.5.4.2 tls 120 1.5.4.2 tls # 121 1.5.4.2 tls # Send back a reset for new connections on tcp. 122 1.5.4.2 tls # 123 1.5.4.2 tls block return-rst in final proto tcp flags S/SA all apply "log" 124 1.5.4.2 tls } 125 1.5.4.2 tls 126 1.5.4.2 tls group "internal" on $int_if { 127 1.5.4.2 tls # Pass everything to internal networks, 128 1.5.4.2 tls # should be ok, because we are nat'ed. 129 1.5.4.2 tls pass final all 130 1.5.4.2 tls } 131 1.5.4.2 tls 132 1.5.4.2 tls group default { 133 1.5.4.2 tls # Loopback interface should allows packets to traverse it. 134 1.5.4.2 tls pass final on lo0 all 135 1.5.4.2 tls # For one L2TP tunnel, needs interface pre-created, post-destroyed 136 1.5.4.2 tls pass final on ppp0 all 137 1.5.4.2 tls 138 1.5.4.2 tls # 139 1.5.4.2 tls # Block everything by default. 140 1.5.4.2 tls # 141 1.5.4.2 tls block final all apply "log" 142 1.5.4.2 tls } 143
Indexes created Mon Oct 13 08:09:50 GMT 2025