CVS commit: [netbsd-9] src/share/examples/npf

Tue, 19 Nov 2019 02:57:41 -0800 

Module Name:    src
Committed By:   martin
Date:           Tue Nov 19 10:56:35 UTC 2019

Modified Files:
        src/share/examples/npf [netbsd-9]: soho_gw-npf.conf

Log Message:
Pull up following revision(s) (requested by sevan in ticket #444):

        share/examples/npf/soho_gw-npf.conf: revision 1.13
        share/examples/npf/soho_gw-npf.conf: revision 1.14
        share/examples/npf/soho_gw-npf.conf: revision 1.15
        share/examples/npf/soho_gw-npf.conf: revision 1.16
        share/examples/npf/soho_gw-npf.conf: revision 1.17
        share/examples/npf/soho_gw-npf.conf: revision 1.18
        share/examples/npf/soho_gw-npf.conf: revision 1.19
        share/examples/npf/soho_gw-npf.conf: revision 1.20

Drop the final keyword to use the default policy of last matching rule wins
default policy is to blockall

Add descriptions for all rules and make use of localnet variable in
place of direct IP address
improve description

pastos

Passive FTP works as a client without this and we're not hosting an FTP
server (port are not listed in services_tcp)

Add support for blacklistd

Rename the block table to something else to make it easier to differentiate
between action and name. Use this table as the example for populating by
npfctl.

Drop the int-block table, it's quite cumbersome to have a firewall which
needs the internal network lists added if reboot. Use the localnet
variable to indicated which network we should pass in traffic from instead.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.12.2.1 src/share/examples/npf/soho_gw-npf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.12 src/share/examples/npf/soho_gw-npf.conf:1.12.2.1
--- src/share/examples/npf/soho_gw-npf.conf:1.12	Thu Apr 11 10:17:21 2019
+++ src/share/examples/npf/soho_gw-npf.conf	Tue Nov 19 10:56:35 2019
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.12 2019/04/11 10:17:21 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.12.2.1 2019/11/19 10:56:35 martin Exp $
 #
 # SOHO border
 #
@@ -12,10 +12,9 @@ $ext_addrs = ifaddrs(wm0)
 
 $int_if = "wm1"
 
-# a table to house e.g. block candidates in
-table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
-# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
-table <int-block> type lpm
+# a "naughty" step^W table to house blocked candidates in
+# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
+table <naughty> type ipset
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -24,38 +23,56 @@ $localnet = { 198.51.100.0/24 }
 # NAT outgoing to the address of the external interface
 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
 # then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
+map $ext_if dynamic $localnet -> $ext_v4
 
 # NAT traffic arriving on port 9022 of the external interface address
 # to host 198.51.100.2 port 22
 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
 
 procedure "log" {
+	# Send log events to npflog0, see npfd(8)
 	log: npflog0
 }
 
 group "external" on $ext_if {
-	pass stateful out final all
+	# Allow all outbound traffic
+	pass stateful out all
 
-	block in final from <block>
-	pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
+	# Block inbound traffic from those on the naughty table 
+	block in from <naughty>
+
+	# Placeholder for blacklistd (configuration separate) to add blocked hosts
+	ruleset "blacklistd"
+
+	# Allow inbound SSH and log all connection attempts
+	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
 		apply "log"
-	pass stateful in final proto tcp to $ext_addrs port $services_tcp
-	pass stateful in final proto udp to $ext_addrs port $services_udp
 
-	# Passive FTP
-	pass stateful in final proto tcp to $ext_addrs port 49151-65535
-	# Traceroute
-	pass stateful in final proto udp to $ext_addrs port 33434-33600
+	# Allow inbound traffic for services hosted on TCP
+	pass stateful in proto tcp to $ext_addrs port $services_tcp
+
+	# Allow inbound traffic for services hosted on UDP
+	pass stateful in proto udp to $ext_addrs port $services_udp
+
+	# Allow being tracerouted
+	pass stateful in proto udp to $ext_addrs port 33434-33600
 }
 
 group "internal" on $int_if {
-	block in all
-	pass in final from <int-block>
-	pass out final all
+	# Allow inbound traffic from LAN
+	pass in from $localnet
+
+	# All outbound traffic to LAN
+	pass out all
 }
 
 group default {
-	pass final on lo0 all
-	block all
+	# Default deny, otherwise last matching rule wins
+	block all apply "log"
+
+	# Don't block loopback
+	pass on lo0 all
+
+	# Allow incoming IPv4 pings
+	pass in family inet4 proto icmp icmp-type echo all
 }

Reply via email to