CVS commit: src/share/examples/npf

Sat, 21 Sep 2019 13:42:59 -0700 

Module Name:    src
Committed By:   sevan
Date:           Sat Sep 21 20:41:52 UTC 2019

Modified Files:
        src/share/examples/npf: soho_gw-npf.conf

Log Message:
Add descriptions for all rules and make use of localnet variable in place of 
direct IP address


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 src/share/examples/npf/soho_gw-npf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.14 src/share/examples/npf/soho_gw-npf.conf:1.15
--- src/share/examples/npf/soho_gw-npf.conf:1.14	Sat Sep 21 20:35:52 2019
+++ src/share/examples/npf/soho_gw-npf.conf	Sat Sep 21 20:41:52 2019
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.14 2019/09/21 20:35:52 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.15 2019/09/21 20:41:52 sevan Exp $
 #
 # SOHO border
 #
@@ -24,23 +24,32 @@ $localnet = { 198.51.100.0/24 }
 # NAT outgoing to the address of the external interface
 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
 # then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
+map $ext_if dynamic $localnet -> $ext_v4
 
 # NAT traffic arriving on port 9022 of the external interface address
 # to host 198.51.100.2 port 22
 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
 
 procedure "log" {
+	# Send log events to npflog0, see npfd(8)
 	log: npflog0
 }
 
 group "external" on $ext_if {
+	# Allow all outbound traffic
 	pass stateful out all
 
+	# Block inbound traffic from those on the block table 
 	block in from <block>
+
+	# Allow SSH on wired interface and log all connection attempts
 	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
 		apply "log"
+
+	# Allow inbound traffic for services hosted on TCP
 	pass stateful in proto tcp to $ext_addrs port $services_tcp
+
+	# Allow inbound traffic for services hosted on TCP
 	pass stateful in proto udp to $ext_addrs port $services_udp
 
 	# Passive FTP
@@ -50,11 +59,20 @@ group "external" on $ext_if {
 }
 
 group "internal" on $int_if {
+	# Allow inbound traffic from LAN
 	pass in from <int-block>
+
+	# All outbound traffic to LAN
 	pass out all
 }
 
 group default {
+	# Default deny, otherwise last matching rule wins
+	block all apply "log"
+
+	# Don't block loopback
 	pass on lo0 all
-	block all
+
+	# Allow incoming IPv4 pings
+	pass in family inet4 proto icmp icmp-type echo all
 }

Reply via email to