Module Name: src
Committed By: rmind
Date: Sat Feb 8 01:32:19 UTC 2014
Modified Files:
src/share/examples/npf: host-npf.conf soho_gw-npf.conf
Log Message:
Sync some NPF config examples with the reality.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/share/examples/npf/host-npf.conf \
src/share/examples/npf/soho_gw-npf.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/examples/npf/host-npf.conf
diff -u src/share/examples/npf/host-npf.conf:1.5 src/share/examples/npf/host-npf.conf:1.6
--- src/share/examples/npf/host-npf.conf:1.5 Fri Sep 20 17:51:04 2013
+++ src/share/examples/npf/host-npf.conf Sat Feb 8 01:32:19 2014
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: host-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
@@ -36,18 +36,18 @@ group "wired" on $wired_if {
# not being picky about our own address here
pass in final family inet6 proto ipv6-icmp all
pass out final family inet6 proto ipv6-icmp all
- pass in final family inet proto icmp all
+ pass in final family inet4 proto icmp all
- pass in final family inet proto tcp \
+ pass in final family inet4 proto tcp \
from $dhcpserver port bootps to $wired_v4 port bootpc
- pass in final family inet proto udp \
+ pass in final family inet4 proto udp \
from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet6 proto tcp to $wired_v6 port ssh
- pass in final family inet proto tcp flags S/SA \
+ pass in final family inet4 proto tcp flags S/SA \
from $backupsrv_v4 to $wired_v4 port $backup_port
- pass in final family inet proto udp \
+ pass in final family inet4 proto udp \
from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet6 proto tcp flags S/SA \
from $backupsrv_v6 to $wired_v6 port $backup_port
@@ -56,21 +56,21 @@ group "wired" on $wired_if {
pass stateful in final family inet6 proto udp to $wired_v6 \
port $services_udp
- pass stateful in final family inet proto udp to $wired_v6 \
+ pass stateful in final family inet4 proto udp to $wired_v6 \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $wired_v6
- pass stateful out final family inet proto tcp flags S/SA \
+ pass stateful out final family inet4 proto tcp flags S/SA \
from $wired_v4
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $wired_v6
- pass out final family inet proto tcp from $wired_v4
+ pass out final family inet4 proto tcp from $wired_v4
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $wired_v6
- pass stateful out final family inet from $wired_v4
+ pass stateful out final family inet4 from $wired_v4
}
@@ -84,36 +84,36 @@ group "wifi" on $wifi_if {
pass out final family inet6 proto ipv6-icmp from ff00::/10
pass in final family inet6 proto ipv6-icmp to $wifi_v6
- pass in final family inet proto icmp to $wifi_v6
+ pass in final family inet4 proto icmp to $wifi_v6
- pass in final family inet proto tcp \
+ pass in final family inet4 proto tcp \
from any port bootps to $wifi_v4 port bootpc
- pass in final family inet proto udp \
+ pass in final family inet4 proto udp \
from any port bootps to $wifi_v4 port bootpc
pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
pass in final family inet6 proto udp to $wifi_v6 port $services_udp
- pass in final family inet proto udp to $wifi_v4 port $services_udp
+ pass in final family inet4 proto udp to $wifi_v4 port $services_udp
# IPSEC
pass in final family inet6 proto udp to $wifi_v6 port isakmp
- pass in final family inet proto udp to $wifi_v4 port isakmp
+ pass in final family inet4 proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
- pass in family inet proto esp all
+ pass in family inet4 proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $wifi_v6
- pass stateful out final family inet proto tcp flags S/SA \
+ pass stateful out final family inet4 proto tcp flags S/SA \
from $wifi_v4
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $wifi_v6
- pass out final family inet proto tcp from $wifi_v4
+ pass out final family inet4 proto tcp from $wifi_v4
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $wifi_v6
- pass stateful out final family inet from $wifi_v4
+ pass stateful out final family inet4 from $wifi_v4
}
group default {
Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.5 src/share/examples/npf/soho_gw-npf.conf:1.6
--- src/share/examples/npf/soho_gw-npf.conf:1.5 Fri Sep 20 17:51:04 2013
+++ src/share/examples/npf/soho_gw-npf.conf Sat Feb 8 01:32:19 2014
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
#
# SOHO border
#
@@ -8,14 +8,14 @@
$ext_if = "wm0"
$ext_v4 = inet4(wm0)
-$ext_addrs = { ifnet(wm0) }
+$ext_addrs = { inet4(wm0), inet6(wm0) }
$int_if = "wm1"
# a table to house e.g. block candidates in
-table <1> type hash file "/usr/share/examples/npf/hashtablefile"
-# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
-table <2> type tree dynamic
+table <block> type hash file "/usr/share/examples/npf/hashtablefile"
+# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
+table <int-block> type tree dynamic
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
@@ -37,8 +37,8 @@ procedure "log" {
group "external" on $ext_if {
pass stateful out final all
- block in final from <1>
- pass stateful in final family inet proto tcp to $ext_v4 port ssh \
+ block in final from <block>
+ pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
apply "log"
pass stateful in final proto tcp to $ext_addrs port $services_tcp
pass stateful in final proto udp to $ext_addrs port $services_udp
@@ -51,7 +51,7 @@ group "external" on $ext_if {
group "internal" on $int_if {
block in all
- pass in final from <2>
+ pass in final from <int-block>
pass out final all
}
