Module Name: src
Committed By: spz
Date: Mon Aug 20 21:09:50 UTC 2012
Added Files:
src/share/examples/npf: host-npf.conf
Log Message:
add an example for a npf.conf
It probably could do with polishing of both rules and comments, but meh,
better than nothing
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/share/examples/npf/host-npf.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Added files:
Index: src/share/examples/npf/host-npf.conf
diff -u /dev/null src/share/examples/npf/host-npf.conf:1.1
--- /dev/null Mon Aug 20 21:09:50 2012
+++ src/share/examples/npf/host-npf.conf Mon Aug 20 21:09:49 2012
@@ -0,0 +1,118 @@
+# this is an example of NPF rules for a host (i.e., not routing) with
+# two network interfaces, wired and wifi
+#
+# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
+# it also does IPSEC on the wifi
+#
+$wired_if = "wm0"
+$wifi_if = "iwn0"
+
+$dhcpserver = { 198.51.100.1 }
+
+# sample udp service
+$services_udp = { ntp }
+
+# sample mixed service
+$backupsrv_v4 = { 198.51.100.11 }
+$backupsrv_v6 = { 2001:0DB8:404::11 }
+$backup_port = { amanda }
+
+# watching a tcpdump of npflog0, when it only logs blocks,
+# can be very helpful for building the rules you actually need
+procedure "log" {
+ log: npflog0
+}
+
+procedure "rid" {
+ normalise: "random-id"
+}
+
+group (name "wired", interface $wired_if) {
+
+ # not being picky about our own address here
+ pass in final family inet6 proto ipv6-icmp all
+ pass out final family inet6 proto ipv6-icmp all
+ pass in final family inet proto icmp all
+
+ pass in final family inet proto tcp \
+ from $dhcpserver port bootps to $wired_if port bootpc
+ pass in final family inet proto udp \
+ from $dhcpserver port bootps to $wired_if port bootpc
+
+ pass in final family inet6 proto tcp to $wired_if port ssh
+
+ pass in final family inet proto tcp flags S/SA \
+ from $backupsrv_v4 to $wired_if port $backup_port
+ pass in final family inet proto udp \
+ from $backupsrv_v4 to $wired_if port $backup_port
+ pass in final family inet6 proto tcp flags S/SA \
+ from $backupsrv_v6 to $wired_if port $backup_port
+ pass in final family inet6 proto udp \
+ from $backupsrv_v6 to $wired_if port $backup_port
+
+ pass stateful in final family inet6 proto udp to $wired_if \
+ port $services_udp
+ pass stateful in final family inet proto udp to $wired_if \
+ port $services_udp
+
+ # only SYN packets need to generate state
+ pass stateful out final family inet6 proto tcp flags S/SA \
+ from $wired_if apply "rid"
+ pass stateful out final family inet proto tcp flags S/SA \
+ from $wired_if apply "rid"
+ # pass the other tcp packets without generating extra state
+ pass out final family inet6 proto tcp from $wired_if apply "rid"
+ pass out final family inet proto tcp from $wired_if apply "rid"
+
+ # all other types of traffic, generate state per packet
+ pass stateful out final family inet6 from $wired_if apply "rid"
+ pass stateful out final family inet from $wired_if apply "rid"
+
+}
+
+group (name "wifi", interface $wifi_if) {
+ # linklocal
+ pass in final family inet6 proto ipv6-icmp to fe80::/10
+ pass out final family inet6 proto ipv6-icmp from fe80::/10
+
+ # administrative multicasts
+ pass in final family inet6 proto ipv6-icmp to ff00::/10
+ pass out final family inet6 proto ipv6-icmp from ff00::/10
+
+ pass in final family inet6 proto ipv6-icmp to $wifi_if
+ pass in final family inet proto icmp to $wifi_if
+
+ pass in final family inet proto tcp \
+ from any port bootps to $wifi_if port bootpc
+ pass in final family inet proto udp \
+ from any port bootps to $wifi_if port bootpc
+
+ pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh
+
+ pass in final family inet6 proto udp to $wifi_if port $services_udp
+ pass in final family inet proto udp to $wifi_if port $services_udp
+
+ # IPSEC
+ pass in final family inet6 proto udp to $wifi_if port isakmp
+ pass in final family inet proto udp to $wifi_if port isakmp
+ pass in family inet6 proto esp all
+ pass in family inet proto esp all
+
+ # only SYN packets need to generate state
+ pass stateful out final family inet6 proto tcp flags S/SA \
+ from $wifi_if apply "rid"
+ pass stateful out final family inet proto tcp flags S/SA \
+ from $wifi_if apply "rid"
+ # pass the other tcp packets without generating extra state
+ pass out final family inet6 proto tcp from $wifi_if apply "rid"
+ pass out final family inet proto tcp from $wifi_if apply "rid"
+
+ # all other types of traffic, generate state per packet
+ pass stateful out final family inet6 from $wifi_if apply "rid"
+ pass stateful out final family inet from $wifi_if apply "rid"
+}
+
+group (default) {
+ pass final on lo0 all
+ block all apply "log"
+}
