Module Name: src Committed By: sevan Date: Mon Apr 15 22:38:48 UTC 2019
Modified Files: src/share/examples/npf: host-npf.conf Log Message: Provide a simpler config for a host which permits any traffic from the host out, and small subset of traffic in (DHCP (v4 and v6), All ICMPv6, ICMP echo requests, traceroute, mDNS). To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/share/examples/npf/host-npf.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/share/examples/npf/host-npf.conf diff -u src/share/examples/npf/host-npf.conf:1.8 src/share/examples/npf/host-npf.conf:1.9 --- src/share/examples/npf/host-npf.conf:1.8 Mon Aug 4 22:13:23 2014 +++ src/share/examples/npf/host-npf.conf Mon Apr 15 22:38:48 2019 @@ -1,131 +1,66 @@ -# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $ +# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $ # -# this is an example of NPF rules for a host (i.e., not routing) with -# two network interfaces, wired and wifi +# Simple ruleset for a host with (i.e., not routing) two interfaces, +# ethernet and wifi. # -# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 -# it also does IPSEC on the wifi +# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic +# are permitted, inbound, on either interface. +# +# SSH to the host is allowed in via the ethernet interface. +# blacklistd(8) is used to prevent SSH bruteforce attempts. +# +# No specific rules for the wifi interface. +# +# All traffic from the host is permitted, outbound, on either interface. # $wired_if = "wm0" -$wired_v4 = { inet4(wm0) } -$wired_v6 = { inet6(wm0) } - -$wifi_if = "iwn0" -$wifi_v4 = { inet4(iwn0) } -$wifi_v6 = { inet6(iwn0) } +$wifi_if = "iwn0" +$wired_addrs= ifaddrs(wm0) +$wifi_addrs = ifaddrs(iwn0) -$dhcpserver = { 198.51.100.1 } +alg "icmp" -# sample udp service -$services_udp = { ntp } - -# sample mixed service -$backupsrv_v4 = { 198.51.100.11 } -$backupsrv_v6 = { 2001:0DB8:404::11 } -$backup_port = { amanda } - -# watching a tcpdump of npflog0, when it only logs blocks, -# can be very helpful for building the rules you actually need procedure "log" { - log: npflog0 + log: npflog0 } -# make a service running on a high port on 127.0.0.1 available on $wired_if -# see also the pass rules below -map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80 - group "wired" on $wired_if { +# Placeholder for blacklistd (configuration separate) to add blocked hosts +ruleset "blacklistd" - # not being picky about our own address here - pass in final family inet6 proto ipv6-icmp all - pass out final family inet6 proto ipv6-icmp all - pass in final family inet4 proto icmp all - - pass in final family inet4 proto tcp \ - from $dhcpserver port bootps to $wired_v4 port bootpc - pass in final family inet4 proto udp \ - from $dhcpserver port bootps to $wired_v4 port bootpc - - pass in final family inet6 proto tcp to $wired_v6 port ssh - - # the port mapping - # Note the filter sees packets before translation - pass in final family inet4 proto tcp from any to $wired_v4 port 80 - pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any - - pass in final family inet4 proto tcp flags S/SA \ - from $backupsrv_v4 to $wired_v4 port $backup_port - pass in final family inet4 proto udp \ - from $backupsrv_v4 to $wired_v4 port $backup_port - pass in final family inet6 proto tcp flags S/SA \ - from $backupsrv_v6 to $wired_v6 port $backup_port - pass in final family inet6 proto udp \ - from $backupsrv_v6 to $wired_v6 port $backup_port - - pass stateful in final family inet6 proto udp to $wired_v6 \ - port $services_udp - pass stateful in final family inet4 proto udp to $wired_v4 \ - port $services_udp - - # only SYN packets need to generate state - pass stateful out final family inet6 proto tcp flags S/SA \ - from $wired_v6 - pass stateful out final family inet4 proto tcp flags S/SA \ - from $wired_v4 - # pass the other tcp packets without generating extra state - pass out final family inet6 proto tcp from $wired_v6 - pass out final family inet4 proto tcp from $wired_v4 - - # all other types of traffic, generate state per packet - pass stateful out final family inet6 from $wired_v6 - pass stateful out final family inet4 from $wired_v4 +# Allow SSH on wired interface +pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log" } group "wifi" on $wifi_if { - # linklocal - pass in final family inet6 proto ipv6-icmp to fe80::/10 - pass out final family inet6 proto ipv6-icmp from fe80::/10 - - # administrative multicasts - pass in final family inet6 proto ipv6-icmp to ff00::/10 - pass out final family inet6 proto ipv6-icmp from ff00::/10 - - pass in final family inet6 proto ipv6-icmp to $wifi_v6 - pass in final family inet4 proto icmp to $wifi_v4 - - pass in final family inet4 proto tcp \ - from any port bootps to $wifi_v4 port bootpc - pass in final family inet4 proto udp \ - from any port bootps to $wifi_v4 port bootpc - - pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh - - pass in final family inet6 proto udp to $wifi_v6 port $services_udp - pass in final family inet4 proto udp to $wifi_v4 port $services_udp - - # IPSEC - pass in final family inet6 proto udp to $wifi_v6 port isakmp - pass in final family inet4 proto udp to $wifi_v4 port isakmp - pass in family inet6 proto esp all - pass in family inet4 proto esp all - - # only SYN packets need to generate state - pass stateful out final family inet6 proto tcp flags S/SA \ - from $wifi_v6 - pass stateful out final family inet4 proto tcp flags S/SA \ - from $wifi_v4 - # pass the other tcp packets without generating extra state - pass out final family inet6 proto tcp from $wifi_v6 - pass out final family inet4 proto tcp from $wifi_v4 - - # all other types of traffic, generate state per packet - pass stateful out final family inet6 from $wifi_v6 - pass stateful out final family inet4 from $wifi_v4 + } group default { - pass final on lo0 all - block all apply "log" +# Default deny, otherwise last matching rule wins +block all apply "log" + +# Don't block loopback +pass on lo0 all + +# Allow incoming DHCP server responses +pass in family inet4 proto udp from any port bootps to any port bootpc +pass in family inet6 proto udp from any to any port "dhcpv6-client" + +# Allow IPv6 ICMP +pass family inet6 proto ipv6-icmp all + +# Allow incoming IPv4 pings +pass in family inet4 proto icmp icmp-type echo all + +# Allow being tracerouted +pass in proto udp to any port 33434-33600 + +# Allow incoming mDNS traffic from neighbours +pass in proto udp to any port mdns + +# Allow all outbound traffic +pass stateful out all }