Module Name: src
Committed By: sevan
Date: Mon Apr 15 22:38:48 UTC 2019
Modified Files:
src/share/examples/npf: host-npf.conf
Log Message:
Provide a simpler config for a host which permits any traffic from the host out,
and small subset of traffic in (DHCP (v4 and v6), All ICMPv6, ICMP echo
requests, traceroute, mDNS).
To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 src/share/examples/npf/host-npf.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/examples/npf/host-npf.conf
diff -u src/share/examples/npf/host-npf.conf:1.8 src/share/examples/npf/host-npf.conf:1.9
--- src/share/examples/npf/host-npf.conf:1.8 Mon Aug 4 22:13:23 2014
+++ src/share/examples/npf/host-npf.conf Mon Apr 15 22:38:48 2019
@@ -1,131 +1,66 @@
-# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $
+# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $
#
-# this is an example of NPF rules for a host (i.e., not routing) with
-# two network interfaces, wired and wifi
+# Simple ruleset for a host with (i.e., not routing) two interfaces,
+# ethernet and wifi.
#
-# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
-# it also does IPSEC on the wifi
+# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic
+# are permitted, inbound, on either interface.
+#
+# SSH to the host is allowed in via the ethernet interface.
+# blacklistd(8) is used to prevent SSH bruteforce attempts.
+#
+# No specific rules for the wifi interface.
+#
+# All traffic from the host is permitted, outbound, on either interface.
#
$wired_if = "wm0"
-$wired_v4 = { inet4(wm0) }
-$wired_v6 = { inet6(wm0) }
-
-$wifi_if = "iwn0"
-$wifi_v4 = { inet4(iwn0) }
-$wifi_v6 = { inet6(iwn0) }
+$wifi_if = "iwn0"
+$wired_addrs= ifaddrs(wm0)
+$wifi_addrs = ifaddrs(iwn0)
-$dhcpserver = { 198.51.100.1 }
+alg "icmp"
-# sample udp service
-$services_udp = { ntp }
-
-# sample mixed service
-$backupsrv_v4 = { 198.51.100.11 }
-$backupsrv_v6 = { 2001:0DB8:404::11 }
-$backup_port = { amanda }
-
-# watching a tcpdump of npflog0, when it only logs blocks,
-# can be very helpful for building the rules you actually need
procedure "log" {
- log: npflog0
+ log: npflog0
}
-# make a service running on a high port on 127.0.0.1 available on $wired_if
-# see also the pass rules below
-map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80
-
group "wired" on $wired_if {
+# Placeholder for blacklistd (configuration separate) to add blocked hosts
+ruleset "blacklistd"
- # not being picky about our own address here
- pass in final family inet6 proto ipv6-icmp all
- pass out final family inet6 proto ipv6-icmp all
- pass in final family inet4 proto icmp all
-
- pass in final family inet4 proto tcp \
- from $dhcpserver port bootps to $wired_v4 port bootpc
- pass in final family inet4 proto udp \
- from $dhcpserver port bootps to $wired_v4 port bootpc
-
- pass in final family inet6 proto tcp to $wired_v6 port ssh
-
- # the port mapping
- # Note the filter sees packets before translation
- pass in final family inet4 proto tcp from any to $wired_v4 port 80
- pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any
-
- pass in final family inet4 proto tcp flags S/SA \
- from $backupsrv_v4 to $wired_v4 port $backup_port
- pass in final family inet4 proto udp \
- from $backupsrv_v4 to $wired_v4 port $backup_port
- pass in final family inet6 proto tcp flags S/SA \
- from $backupsrv_v6 to $wired_v6 port $backup_port
- pass in final family inet6 proto udp \
- from $backupsrv_v6 to $wired_v6 port $backup_port
-
- pass stateful in final family inet6 proto udp to $wired_v6 \
- port $services_udp
- pass stateful in final family inet4 proto udp to $wired_v4 \
- port $services_udp
-
- # only SYN packets need to generate state
- pass stateful out final family inet6 proto tcp flags S/SA \
- from $wired_v6
- pass stateful out final family inet4 proto tcp flags S/SA \
- from $wired_v4
- # pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wired_v6
- pass out final family inet4 proto tcp from $wired_v4
-
- # all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wired_v6
- pass stateful out final family inet4 from $wired_v4
+# Allow SSH on wired interface
+pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
}
group "wifi" on $wifi_if {
- # linklocal
- pass in final family inet6 proto ipv6-icmp to fe80::/10
- pass out final family inet6 proto ipv6-icmp from fe80::/10
-
- # administrative multicasts
- pass in final family inet6 proto ipv6-icmp to ff00::/10
- pass out final family inet6 proto ipv6-icmp from ff00::/10
-
- pass in final family inet6 proto ipv6-icmp to $wifi_v6
- pass in final family inet4 proto icmp to $wifi_v4
-
- pass in final family inet4 proto tcp \
- from any port bootps to $wifi_v4 port bootpc
- pass in final family inet4 proto udp \
- from any port bootps to $wifi_v4 port bootpc
-
- pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
-
- pass in final family inet6 proto udp to $wifi_v6 port $services_udp
- pass in final family inet4 proto udp to $wifi_v4 port $services_udp
-
- # IPSEC
- pass in final family inet6 proto udp to $wifi_v6 port isakmp
- pass in final family inet4 proto udp to $wifi_v4 port isakmp
- pass in family inet6 proto esp all
- pass in family inet4 proto esp all
-
- # only SYN packets need to generate state
- pass stateful out final family inet6 proto tcp flags S/SA \
- from $wifi_v6
- pass stateful out final family inet4 proto tcp flags S/SA \
- from $wifi_v4
- # pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wifi_v6
- pass out final family inet4 proto tcp from $wifi_v4
-
- # all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wifi_v6
- pass stateful out final family inet4 from $wifi_v4
+
}
group default {
- pass final on lo0 all
- block all apply "log"
+# Default deny, otherwise last matching rule wins
+block all apply "log"
+
+# Don't block loopback
+pass on lo0 all
+
+# Allow incoming DHCP server responses
+pass in family inet4 proto udp from any port bootps to any port bootpc
+pass in family inet6 proto udp from any to any port "dhcpv6-client"
+
+# Allow IPv6 ICMP
+pass family inet6 proto ipv6-icmp all
+
+# Allow incoming IPv4 pings
+pass in family inet4 proto icmp icmp-type echo all
+
+# Allow being tracerouted
+pass in proto udp to any port 33434-33600
+
+# Allow incoming mDNS traffic from neighbours
+pass in proto udp to any port mdns
+
+# Allow all outbound traffic
+pass stateful out all
}
