CVS commit: src/share/examples/npf

Sat, 31 May 2014 05:34:27 -0700 

Module Name:    src
Committed By:   spz
Date:           Sat May 31 12:33:14 UTC 2014

Modified Files:
        src/share/examples/npf: l2tp_gw-npf.conf

Log Message:
- match up comment and interface identifiers
- use RFC5737 documentation prefixes
- use a variable for the RFC1918 private address ranges


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/share/examples/npf/l2tp_gw-npf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/examples/npf/l2tp_gw-npf.conf
diff -u src/share/examples/npf/l2tp_gw-npf.conf:1.4 src/share/examples/npf/l2tp_gw-npf.conf:1.5
--- src/share/examples/npf/l2tp_gw-npf.conf:1.4	Tue May 27 23:34:43 2014
+++ src/share/examples/npf/l2tp_gw-npf.conf	Sat May 31 12:33:14 2014
@@ -1,17 +1,19 @@
 # ex0 - (internal) network interface
-#	192.168.2.254/24
-# hme0 - (external) connection to Two Sigma
-#	74.66.0.142/24
+#	192.0.2.254/24
+# hme0 - (external) connection to Peer
+#	198.51.100.142/24
 
-$int_if = "sk0"
-$ext_if = "bge0"
+$int_if = "ex0"
+$ext_if = "hme0"
+
+$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
 
 alg "icmp"
 
 #
 # NAT for all.
 #
-map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if)
+map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if)
 
 #table <1> type tree file "/etc/npf_problem_sites"
 
@@ -37,20 +39,15 @@ group "external" on $ext_if {
 	#
 	# Block IANA-reserved addresses from entering or exiting
 	#
-	block in final from 10.0.0.0/8 apply "log"
-	block in final from 172.16.0.0/12 apply "log"
-	block in final from 192.168.0.0/16 apply "log"
-	#
-	block out final to 10.0.0.0/8 apply "log"
-	block out final to 172.16.0.0/12 apply "log"
-	block out final to 192.168.0.0/16 apply "log"
+	block in final from $private_addr apply "log"
+	block out final to $private_addr apply "log"
 	#
 	pass stateful out final proto tcp all
 	pass stateful out final proto udp all
 	pass stateful out final proto icmp all
 	pass stateful out final proto ipv6-icmp all
 
-	block in final proto tcp to 192.168.2.255 apply "log"
+	block in final proto tcp to 192.0.2.255 apply "log"
 
 	#
 	# Prevent IP spoofing attacks on the firewall.

Reply via email to