Module Name:    src
Committed By:   sevan
Date:           Mon Nov 18 22:27:27 UTC 2019

Modified Files:
        src/share/examples/npf: soho_gw-npf.conf

Log Message:
Rename the block table to something else to make it easier to differentiate
between action and name. Use this table as the example for populating by npfctl.

Drop the int-block table, it's quite cumbersome to have a firewall which
needs the internal network lists added if reboot. Use the localnet variable to
indicated which network we should pass in traffic from instead.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/share/examples/npf/soho_gw-npf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.19 src/share/examples/npf/soho_gw-npf.conf:1.20
--- src/share/examples/npf/soho_gw-npf.conf:1.19	Sun Sep 22 19:51:18 2019
+++ src/share/examples/npf/soho_gw-npf.conf	Mon Nov 18 22:27:27 2019
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.19 2019/09/22 19:51:18 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.20 2019/11/18 22:27:27 sevan Exp $
 #
 # SOHO border
 #
@@ -12,10 +12,9 @@ $ext_addrs = ifaddrs(wm0)
 
 $int_if = "wm1"
 
-# a table to house e.g. block candidates in
-table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
-# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
-table <int-block> type lpm
+# a "naughty" step^W table to house blocked candidates in
+# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
+table <naughty> type ipset
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -39,8 +38,8 @@ group "external" on $ext_if {
 	# Allow all outbound traffic
 	pass stateful out all
 
-	# Block inbound traffic from those on the block table 
-	block in from <block>
+	# Block inbound traffic from those on the naughty table 
+	block in from <naughty>
 
 	# Placeholder for blacklistd (configuration separate) to add blocked hosts
 	ruleset "blacklistd"
@@ -61,7 +60,7 @@ group "external" on $ext_if {
 
 group "internal" on $int_if {
 	# Allow inbound traffic from LAN
-	pass in from <int-block>
+	pass in from $localnet
 
 	# All outbound traffic to LAN
 	pass out all

Reply via email to