2013-06-27 01:36:39 +04:00
|
|
|
# ex0 - (internal) network interface
|
2014-05-31 16:33:14 +04:00
|
|
|
# 192.0.2.254/24
|
|
|
|
# hme0 - (external) connection to Peer
|
|
|
|
# 198.51.100.142/24
|
2013-06-27 01:36:39 +04:00
|
|
|
|
2014-05-31 16:33:14 +04:00
|
|
|
$int_if = "ex0"
|
|
|
|
$ext_if = "hme0"
|
|
|
|
|
|
|
|
$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
|
2013-06-27 01:36:39 +04:00
|
|
|
|
|
|
|
alg "icmp"
|
|
|
|
|
|
|
|
#
|
|
|
|
# NAT for all.
|
|
|
|
#
|
2014-05-31 16:33:14 +04:00
|
|
|
map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if)
|
2013-06-27 01:36:39 +04:00
|
|
|
|
|
|
|
#table <1> type tree file "/etc/npf_problem_sites"
|
|
|
|
|
|
|
|
procedure "log" {
|
|
|
|
log: npflog0
|
|
|
|
}
|
|
|
|
|
2013-09-20 21:51:04 +04:00
|
|
|
group "external" on $ext_if {
|
2013-06-27 01:36:39 +04:00
|
|
|
#
|
|
|
|
# Allow DHCP requests (even to reserved addresses).
|
|
|
|
#
|
|
|
|
pass out final proto udp from any port bootpc to any port bootps
|
|
|
|
pass in final proto udp from any port bootps to any port bootpc
|
|
|
|
pass in final proto udp from any port bootps to 255.255.255.255 port bootpc
|
|
|
|
#
|
|
|
|
# Allow DNS queries
|
|
|
|
#
|
|
|
|
pass stateful out final proto udp to any port domain
|
|
|
|
|
|
|
|
# Problem sites.
|
|
|
|
#block in final from <1> apply "log"
|
|
|
|
|
|
|
|
#
|
|
|
|
# Block IANA-reserved addresses from entering or exiting
|
|
|
|
#
|
2014-05-31 16:33:14 +04:00
|
|
|
block in final from $private_addr apply "log"
|
|
|
|
block out final to $private_addr apply "log"
|
2013-06-27 01:36:39 +04:00
|
|
|
#
|
|
|
|
pass stateful out final proto tcp all
|
|
|
|
pass stateful out final proto udp all
|
|
|
|
pass stateful out final proto icmp all
|
|
|
|
pass stateful out final proto ipv6-icmp all
|
|
|
|
|
2014-05-31 16:33:14 +04:00
|
|
|
block in final proto tcp to 192.0.2.255 apply "log"
|
2013-06-27 01:36:39 +04:00
|
|
|
|
|
|
|
#
|
|
|
|
# Prevent IP spoofing attacks on the firewall.
|
|
|
|
#
|
|
|
|
block in final from 127.0.0.1 apply "log"
|
|
|
|
|
|
|
|
#
|
|
|
|
# L2TP/IPSEC-NAT-T Tunnels.
|
|
|
|
#
|
2014-05-28 03:34:43 +04:00
|
|
|
pass in final proto esp from any to inet4($ext_if)
|
|
|
|
pass out final proto esp from inet4($ext_if) to any
|
2014-05-28 03:24:42 +04:00
|
|
|
pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t"
|
|
|
|
pass stateful in final from any to inet4($ext_if) port l2tp
|
2013-06-27 01:36:39 +04:00
|
|
|
|
|
|
|
#
|
|
|
|
# Pass multicast.
|
|
|
|
# IGMP uses 224.0.0.1.
|
|
|
|
#
|
|
|
|
pass in final proto igmp all
|
|
|
|
pass in final from any to 224.0.0.0/4
|
|
|
|
|
|
|
|
#
|
|
|
|
# Pass established connections.
|
|
|
|
#
|
|
|
|
pass in final proto tcp flags A/A all
|
|
|
|
pass in final proto tcp flags R/R all
|
|
|
|
#
|
|
|
|
# VNC
|
|
|
|
#
|
|
|
|
pass in final proto tcp from any to any port 5500
|
|
|
|
|
|
|
|
#
|
|
|
|
# Web servers
|
|
|
|
#
|
|
|
|
#pass in final proto tcp from any to <A>/<M> port http
|
|
|
|
|
|
|
|
#
|
|
|
|
# Services on localhost.
|
|
|
|
#
|
|
|
|
#pass in final proto udp from any port ntp
|
|
|
|
#pass in final to any port imap
|
|
|
|
#pass in final to any port domain
|
|
|
|
#pass in final proto tcp to any port smtp
|
|
|
|
#pass in final proto tcp to any port auth
|
|
|
|
#pass in final proto tcp to any port ssh
|
|
|
|
#pass in final proto tcp to any port bgp
|
|
|
|
#pass in final proto tcp to any port ftp
|
|
|
|
#pass in final proto tcp to any port "ftp-data"
|
|
|
|
#pass in final proto udp to any port isakmp
|
|
|
|
#pass in final proto udp to any port 8001
|
|
|
|
#pass in final proto tcp to inet4($ext_if) port www
|
|
|
|
|
|
|
|
#
|
|
|
|
# Handle traceroute gracefully for up-to 30 hops away.
|
|
|
|
# FIXME: port-unr for ICMP is not yet supported.
|
|
|
|
#
|
|
|
|
block return-icmp in final proto udp to any port 33433-33524 apply "log"
|
|
|
|
|
|
|
|
#
|
|
|
|
# Only allow selected ICMP types.
|
|
|
|
#
|
|
|
|
pass in final proto icmp icmp-type echo all
|
|
|
|
pass in final proto icmp icmp-type timxceed all
|
|
|
|
pass in final proto icmp icmp-type unreach all
|
|
|
|
pass in final proto icmp icmp-type echoreply all
|
|
|
|
pass in final proto icmp icmp-type sourcequench all
|
|
|
|
pass in final proto icmp icmp-type paramprob all
|
|
|
|
pass in final proto ipv6-icmp all
|
|
|
|
|
|
|
|
#
|
|
|
|
# Send back a reset for new connections on tcp.
|
|
|
|
#
|
|
|
|
block return-rst in final proto tcp flags S/SA all apply "log"
|
|
|
|
}
|
|
|
|
|
2013-09-20 21:51:04 +04:00
|
|
|
group "internal" on $int_if {
|
2013-06-27 01:36:39 +04:00
|
|
|
# Pass everything to internal networks,
|
|
|
|
# should be ok, because we are nat'ed.
|
|
|
|
pass final all
|
|
|
|
}
|
|
|
|
|
2013-09-20 21:51:04 +04:00
|
|
|
group default {
|
2013-06-27 01:36:39 +04:00
|
|
|
# Loopback interface should allows packets to traverse it.
|
|
|
|
pass final on lo0 all
|
|
|
|
# For one L2TP tunnel, needs interface pre-created, post-destroyed
|
|
|
|
pass final on ppp0 all
|
|
|
|
|
|
|
|
#
|
|
|
|
# Block everything by default.
|
|
|
|
#
|
|
|
|
block final all apply "log"
|
|
|
|
}
|