1# $NetBSD: host-npf.conf,v 1.7 2014/05/31 11:54:37 spz Exp $ 2# 3# this is an example of NPF rules for a host (i.e., not routing) with 4# two network interfaces, wired and wifi 5# 6# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 7# it also does IPSEC on the wifi 8# 9 10$wired_if = "wm0" 11$wired_v4 = { inet4(wm0) } 12$wired_v6 = { inet6(wm0) } 13 14$wifi_if = "iwn0" 15$wifi_v4 = { inet4(iwn0) } 16$wifi_v6 = { inet6(iwn0) } 17 18$dhcpserver = { 198.51.100.1 } 19 20# sample udp service 21$services_udp = { ntp } 22 23# sample mixed service 24$backupsrv_v4 = { 198.51.100.11 } 25$backupsrv_v6 = { 2001:0DB8:404::11 } 26$backup_port = { amanda } 27 28# watching a tcpdump of npflog0, when it only logs blocks, 29# can be very helpful for building the rules you actually need 30procedure "log" { 31 log: npflog0 32} 33 34# make a service running on a high port on 127.0.0.1 available on $wired_if 35# see also the pass rules below 36map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80 37 38group "wired" on $wired_if { 39 40 # not being picky about our own address here 41 pass in final family inet6 proto ipv6-icmp all 42 pass out final family inet6 proto ipv6-icmp all 43 pass in final family inet4 proto icmp all 44 45 pass in final family inet4 proto tcp \ 46 from $dhcpserver port bootps to $wired_v4 port bootpc 47 pass in final family inet4 proto udp \ 48 from $dhcpserver port bootps to $wired_v4 port bootpc 49 50 pass in final family inet6 proto tcp to $wired_v6 port ssh 51 52 # the port mapping 53 # Note the filter sees packets before translation 54 pass in final family inet4 proto tcp from any to $wired_v4 port 80 55 pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any 56 57 pass in final family inet4 proto tcp flags S/SA \ 58 from $backupsrv_v4 to $wired_v4 port $backup_port 59 pass in final family inet4 proto udp \ 60 from $backupsrv_v4 to $wired_v4 port $backup_port 61 pass in final family inet6 proto tcp flags S/SA \ 62 from $backupsrv_v6 to $wired_v6 port $backup_port 63 pass in final family inet6 proto udp \ 64 from $backupsrv_v6 to $wired_v6 port $backup_port 65 66 pass stateful in final family inet6 proto udp to $wired_v6 \ 67 port $services_udp 68 pass stateful in final family inet4 proto udp to $wired_v6 \ 69 port $services_udp 70 71 # only SYN packets need to generate state 72 pass stateful out final family inet6 proto tcp flags S/SA \ 73 from $wired_v6 74 pass stateful out final family inet4 proto tcp flags S/SA \ 75 from $wired_v4 76 # pass the other tcp packets without generating extra state 77 pass out final family inet6 proto tcp from $wired_v6 78 pass out final family inet4 proto tcp from $wired_v4 79 80 # all other types of traffic, generate state per packet 81 pass stateful out final family inet6 from $wired_v6 82 pass stateful out final family inet4 from $wired_v4 83 84} 85 86group "wifi" on $wifi_if { 87 # linklocal 88 pass in final family inet6 proto ipv6-icmp to fe80::/10 89 pass out final family inet6 proto ipv6-icmp from fe80::/10 90 91 # administrative multicasts 92 pass in final family inet6 proto ipv6-icmp to ff00::/10 93 pass out final family inet6 proto ipv6-icmp from ff00::/10 94 95 pass in final family inet6 proto ipv6-icmp to $wifi_v6 96 pass in final family inet4 proto icmp to $wifi_v6 97 98 pass in final family inet4 proto tcp \ 99 from any port bootps to $wifi_v4 port bootpc 100 pass in final family inet4 proto udp \ 101 from any port bootps to $wifi_v4 port bootpc 102 103 pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 104 105 pass in final family inet6 proto udp to $wifi_v6 port $services_udp 106 pass in final family inet4 proto udp to $wifi_v4 port $services_udp 107 108 # IPSEC 109 pass in final family inet6 proto udp to $wifi_v6 port isakmp 110 pass in final family inet4 proto udp to $wifi_v4 port isakmp 111 pass in family inet6 proto esp all 112 pass in family inet4 proto esp all 113 114 # only SYN packets need to generate state 115 pass stateful out final family inet6 proto tcp flags S/SA \ 116 from $wifi_v6 117 pass stateful out final family inet4 proto tcp flags S/SA \ 118 from $wifi_v4 119 # pass the other tcp packets without generating extra state 120 pass out final family inet6 proto tcp from $wifi_v6 121 pass out final family inet4 proto tcp from $wifi_v4 122 123 # all other types of traffic, generate state per packet 124 pass stateful out final family inet6 from $wifi_v6 125 pass stateful out final family inet4 from $wifi_v4 126} 127 128group default { 129 pass final on lo0 all 130 block all apply "log" 131} 132