1# ex0 - (internal) network interface 2# 192.0.2.254/24 3# hme0 - (external) connection to Peer 4# 198.51.100.142/24 5 6$int_if = "ex0" 7$ext_if = "hme0" 8 9$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 } 10 11alg "icmp" 12 13# 14# NAT for all. 15# 16map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if) 17 18#table <1> type tree file "/etc/npf_problem_sites" 19 20procedure "log" { 21 log: npflog0 22} 23 24group "external" on $ext_if { 25 # 26 # Allow DHCP requests (even to reserved addresses). 27 # 28 pass out final proto udp from any port bootpc to any port bootps 29 pass in final proto udp from any port bootps to any port bootpc 30 pass in final proto udp from any port bootps to 255.255.255.255 port bootpc 31 # 32 # Allow DNS queries 33 # 34 pass stateful out final proto udp to any port domain 35 36 # Problem sites. 37 #block in final from <1> apply "log" 38 39 # 40 # Block IANA-reserved addresses from entering or exiting 41 # 42 block in final from $private_addr apply "log" 43 block out final to $private_addr apply "log" 44 # 45 pass stateful out final proto tcp all 46 pass stateful out final proto udp all 47 pass stateful out final proto icmp all 48 pass stateful out final proto ipv6-icmp all 49 50 block in final proto tcp to 192.0.2.255 apply "log" 51 52 # 53 # Prevent IP spoofing attacks on the firewall. 54 # 55 block in final from 127.0.0.1 apply "log" 56 57 # 58 # L2TP/IPSEC-NAT-T Tunnels. 59 # 60 pass in final proto esp from any to inet4($ext_if) 61 pass out final proto esp from inet4($ext_if) to any 62 pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" 63 pass stateful in final from any to inet4($ext_if) port l2tp 64 65 # 66 # Pass multicast. 67 # IGMP uses 224.0.0.1. 68 # 69 pass in final proto igmp all 70 pass in final from any to 224.0.0.0/4 71 72 # 73 # Pass established connections. 74 # 75 pass in final proto tcp flags A/A all 76 pass in final proto tcp flags R/R all 77 # 78 # VNC 79 # 80 pass in final proto tcp from any to any port 5500 81 82 # 83 # Web servers 84 # 85 #pass in final proto tcp from any to <A>/<M> port http 86 87 # 88 # Services on localhost. 89 # 90 #pass in final proto udp from any port ntp 91 #pass in final to any port imap 92 #pass in final to any port domain 93 #pass in final proto tcp to any port smtp 94 #pass in final proto tcp to any port auth 95 #pass in final proto tcp to any port ssh 96 #pass in final proto tcp to any port bgp 97 #pass in final proto tcp to any port ftp 98 #pass in final proto tcp to any port "ftp-data" 99 #pass in final proto udp to any port isakmp 100 #pass in final proto udp to any port 8001 101 #pass in final proto tcp to inet4($ext_if) port www 102 103 # 104 # Handle traceroute gracefully for up-to 30 hops away. 105 # FIXME: port-unr for ICMP is not yet supported. 106 # 107 block return-icmp in final proto udp to any port 33433-33524 apply "log" 108 109 # 110 # Only allow selected ICMP types. 111 # 112 pass in final proto icmp icmp-type echo all 113 pass in final proto icmp icmp-type timxceed all 114 pass in final proto icmp icmp-type unreach all 115 pass in final proto icmp icmp-type echoreply all 116 pass in final proto icmp icmp-type sourcequench all 117 pass in final proto icmp icmp-type paramprob all 118 pass in final proto ipv6-icmp all 119 120 # 121 # Send back a reset for new connections on tcp. 122 # 123 block return-rst in final proto tcp flags S/SA all apply "log" 124} 125 126group "internal" on $int_if { 127 # Pass everything to internal networks, 128 # should be ok, because we are nat'ed. 129 pass final all 130} 131 132group default { 133 # Loopback interface should allows packets to traverse it. 134 pass final on lo0 all 135 # For one L2TP tunnel, needs interface pre-created, post-destroyed 136 pass final on ppp0 all 137 138 # 139 # Block everything by default. 140 # 141 block final all apply "log" 142} 143