Module Name: src Committed By: spz Date: Mon Aug 20 21:09:50 UTC 2012
Added Files: src/share/examples/npf: host-npf.conf Log Message: add an example for a npf.conf It probably could do with polishing of both rules and comments, but meh, better than nothing To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/share/examples/npf/host-npf.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Added files: Index: src/share/examples/npf/host-npf.conf diff -u /dev/null src/share/examples/npf/host-npf.conf:1.1 --- /dev/null Mon Aug 20 21:09:50 2012 +++ src/share/examples/npf/host-npf.conf Mon Aug 20 21:09:49 2012 @@ -0,0 +1,118 @@ +# this is an example of NPF rules for a host (i.e., not routing) with +# two network interfaces, wired and wifi +# +# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 +# it also does IPSEC on the wifi +# +$wired_if = "wm0" +$wifi_if = "iwn0" + +$dhcpserver = { 198.51.100.1 } + +# sample udp service +$services_udp = { ntp } + +# sample mixed service +$backupsrv_v4 = { 198.51.100.11 } +$backupsrv_v6 = { 2001:0DB8:404::11 } +$backup_port = { amanda } + +# watching a tcpdump of npflog0, when it only logs blocks, +# can be very helpful for building the rules you actually need +procedure "log" { + log: npflog0 +} + +procedure "rid" { + normalise: "random-id" +} + +group (name "wired", interface $wired_if) { + + # not being picky about our own address here + pass in final family inet6 proto ipv6-icmp all + pass out final family inet6 proto ipv6-icmp all + pass in final family inet proto icmp all + + pass in final family inet proto tcp \ + from $dhcpserver port bootps to $wired_if port bootpc + pass in final family inet proto udp \ + from $dhcpserver port bootps to $wired_if port bootpc + + pass in final family inet6 proto tcp to $wired_if port ssh + + pass in final family inet proto tcp flags S/SA \ + from $backupsrv_v4 to $wired_if port $backup_port + pass in final family inet proto udp \ + from $backupsrv_v4 to $wired_if port $backup_port + pass in final family inet6 proto tcp flags S/SA \ + from $backupsrv_v6 to $wired_if port $backup_port + pass in final family inet6 proto udp \ + from $backupsrv_v6 to $wired_if port $backup_port + + pass stateful in final family inet6 proto udp to $wired_if \ + port $services_udp + pass stateful in final family inet proto udp to $wired_if \ + port $services_udp + + # only SYN packets need to generate state + pass stateful out final family inet6 proto tcp flags S/SA \ + from $wired_if apply "rid" + pass stateful out final family inet proto tcp flags S/SA \ + from $wired_if apply "rid" + # pass the other tcp packets without generating extra state + pass out final family inet6 proto tcp from $wired_if apply "rid" + pass out final family inet proto tcp from $wired_if apply "rid" + + # all other types of traffic, generate state per packet + pass stateful out final family inet6 from $wired_if apply "rid" + pass stateful out final family inet from $wired_if apply "rid" + +} + +group (name "wifi", interface $wifi_if) { + # linklocal + pass in final family inet6 proto ipv6-icmp to fe80::/10 + pass out final family inet6 proto ipv6-icmp from fe80::/10 + + # administrative multicasts + pass in final family inet6 proto ipv6-icmp to ff00::/10 + pass out final family inet6 proto ipv6-icmp from ff00::/10 + + pass in final family inet6 proto ipv6-icmp to $wifi_if + pass in final family inet proto icmp to $wifi_if + + pass in final family inet proto tcp \ + from any port bootps to $wifi_if port bootpc + pass in final family inet proto udp \ + from any port bootps to $wifi_if port bootpc + + pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh + + pass in final family inet6 proto udp to $wifi_if port $services_udp + pass in final family inet proto udp to $wifi_if port $services_udp + + # IPSEC + pass in final family inet6 proto udp to $wifi_if port isakmp + pass in final family inet proto udp to $wifi_if port isakmp + pass in family inet6 proto esp all + pass in family inet proto esp all + + # only SYN packets need to generate state + pass stateful out final family inet6 proto tcp flags S/SA \ + from $wifi_if apply "rid" + pass stateful out final family inet proto tcp flags S/SA \ + from $wifi_if apply "rid" + # pass the other tcp packets without generating extra state + pass out final family inet6 proto tcp from $wifi_if apply "rid" + pass out final family inet proto tcp from $wifi_if apply "rid" + + # all other types of traffic, generate state per packet + pass stateful out final family inet6 from $wifi_if apply "rid" + pass stateful out final family inet from $wifi_if apply "rid" +} + +group (default) { + pass final on lo0 all + block all apply "log" +}