l2tp_gw-npf.conf revision 1.3
1 # ex0 - (internal) network interface 2 # 192.168.2.254/24 3 # hme0 - (external) connection to Two Sigma 4 # 74.66.0.142/24 5 6 $int_if = "sk0" 7 $ext_if = "bge0" 8 9 alg "icmp" 10 11 # 12 # NAT for all. 13 # 14 map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if) 15 16 #table <1> type tree file "/etc/npf_problem_sites" 17 18 procedure "log" { 19 log: npflog0 20 } 21 22 group "external" on $ext_if { 23 # 24 # Allow DHCP requests (even to reserved addresses). 25 # 26 pass out final proto udp from any port bootpc to any port bootps 27 pass in final proto udp from any port bootps to any port bootpc 28 pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 29 # 30 # Allow DNS queries 31 # 32 pass stateful out final proto udp to any port domain 33 34 # Problem sites. 35 #block in final from <1> apply "log" 36 37 # 38 # Block IANA-reserved addresses from entering or exiting 39 # 40 block in final from 10.0.0.0/8 apply "log" 41 block in final from 172.16.0.0/12 apply "log" 42 block in final from 192.168.0.0/16 apply "log" 43 # 44 block out final to 10.0.0.0/8 apply "log" 45 block out final to 172.16.0.0/12 apply "log" 46 block out final to 192.168.0.0/16 apply "log" 47 # 48 pass stateful out final proto tcp all 49 pass stateful out final proto udp all 50 pass stateful out final proto icmp all 51 pass stateful out final proto ipv6-icmp all 52 53 block in final proto tcp to 192.168.2.255 apply "log" 54 55 # 56 # Prevent IP spoofing attacks on the firewall. 57 # 58 block in final from 127.0.0.1 apply "log" 59 60 # 61 # L2TP/IPSEC-NAT-T Tunnels. 62 # 63 pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" 64 pass stateful in final from any to inet4($ext_if) port l2tp 65 66 # 67 # Pass multicast. 68 # IGMP uses 224.0.0.1. 69 # 70 pass in final proto igmp all 71 pass in final from any to 224.0.0.0/4 72 73 # 74 # Pass established connections. 75 # 76 pass in final proto tcp flags A/A all 77 pass in final proto tcp flags R/R all 78 # 79 # VNC 80 # 81 pass in final proto tcp from any to any port 5500 82 83 # 84 # Web servers 85 # 86 #pass in final proto tcp from any to <A>/<M> port http 87 88 # 89 # Services on localhost. 90 # 91 #pass in final proto udp from any port ntp 92 #pass in final to any port imap 93 #pass in final to any port domain 94 #pass in final proto tcp to any port smtp 95 #pass in final proto tcp to any port auth 96 #pass in final proto tcp to any port ssh 97 #pass in final proto tcp to any port bgp 98 #pass in final proto tcp to any port ftp 99 #pass in final proto tcp to any port "ftp-data" 100 #pass in final proto udp to any port isakmp 101 #pass in final proto udp to any port 8001 102 #pass in final proto tcp to inet4($ext_if) port www 103 104 # 105 # Handle traceroute gracefully for up-to 30 hops away. 106 # FIXME: port-unr for ICMP is not yet supported. 107 # 108 block return-icmp in final proto udp to any port 33433-33524 apply "log" 109 110 # 111 # Only allow selected ICMP types. 112 # 113 pass in final proto icmp icmp-type echo all 114 pass in final proto icmp icmp-type timxceed all 115 pass in final proto icmp icmp-type unreach all 116 pass in final proto icmp icmp-type echoreply all 117 pass in final proto icmp icmp-type sourcequench all 118 pass in final proto icmp icmp-type paramprob all 119 pass in final proto ipv6-icmp all 120 121 # 122 # Send back a reset for new connections on tcp. 123 # 124 block return-rst in final proto tcp flags S/SA all apply "log" 125 } 126 127 group "internal" on $int_if { 128 # Pass everything to internal networks, 129 # should be ok, because we are nat'ed. 130 pass final all 131 } 132 133 group default { 134 # Loopback interface should allows packets to traverse it. 135 pass final on lo0 all 136 # For one L2TP tunnel, needs interface pre-created, post-destroyed 137 pass final on ppp0 all 138 139 # 140 # Block everything by default. 141 # 142 block final all apply "log" 143 } 144
Indexes created Sun Oct 12 09:09:55 GMT 2025