Indent to improve readability.
Add a description for log event.
This commit is contained in:
sevan
parent
8c07fa7cf5
commit
92b94ad4f3
@ -1,4 +1,4 @@
|
||||
# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $
|
||||
# $NetBSD: host-npf.conf,v 1.10 2019/04/16 10:52:28 sevan Exp $
|
||||
#
|
||||
# Simple ruleset for a host with (i.e., not routing) two interfaces,
|
||||
# ethernet and wifi.
|
||||
@ -22,16 +22,16 @@ $wifi_addrs = ifaddrs(iwn0)
|
||||
alg "icmp"
|
||||
|
||||
procedure "log" {
|
||||
log: npflog0
|
||||
# Send log events to npflog0, see npfd(8)
|
||||
log: npflog0
|
||||
}
|
||||
|
||||
group "wired" on $wired_if {
|
||||
# Placeholder for blacklistd (configuration separate) to add blocked hosts
|
||||
ruleset "blacklistd"
|
||||
|
||||
# Allow SSH on wired interface
|
||||
pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
|
||||
# Placeholder for blacklistd (configuration separate) to add blocked hosts
|
||||
ruleset "blacklistd"
|
||||
|
||||
# Allow SSH on wired interface and log all connection attempts
|
||||
pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
|
||||
}
|
||||
|
||||
group "wifi" on $wifi_if {
|
||||
@ -39,28 +39,28 @@ group "wifi" on $wifi_if {
|
||||
}
|
||||
|
||||
group default {
|
||||
# Default deny, otherwise last matching rule wins
|
||||
block all apply "log"
|
||||
# Default deny, otherwise last matching rule wins
|
||||
block all apply "log"
|
||||
|
||||
# Don't block loopback
|
||||
pass on lo0 all
|
||||
# Don't block loopback
|
||||
pass on lo0 all
|
||||
|
||||
# Allow incoming DHCP server responses
|
||||
pass in family inet4 proto udp from any port bootps to any port bootpc
|
||||
pass in family inet6 proto udp from any to any port "dhcpv6-client"
|
||||
# Allow incoming DHCP server responses
|
||||
pass in family inet4 proto udp from any port bootps to any port bootpc
|
||||
pass in family inet6 proto udp from any to any port "dhcpv6-client"
|
||||
|
||||
# Allow IPv6 ICMP
|
||||
pass family inet6 proto ipv6-icmp all
|
||||
# Allow IPv6 ICMP
|
||||
pass family inet6 proto ipv6-icmp all
|
||||
|
||||
# Allow incoming IPv4 pings
|
||||
pass in family inet4 proto icmp icmp-type echo all
|
||||
# Allow incoming IPv4 pings
|
||||
pass in family inet4 proto icmp icmp-type echo all
|
||||
|
||||
# Allow being tracerouted
|
||||
pass in proto udp to any port 33434-33600
|
||||
# Allow being tracerouted
|
||||
pass in proto udp to any port 33434-33600
|
||||
|
||||
# Allow incoming mDNS traffic from neighbours
|
||||
pass in proto udp to any port mdns
|
||||
# Allow incoming mDNS traffic from neighbours
|
||||
pass in proto udp to any port mdns
|
||||
|
||||
# Allow all outbound traffic
|
||||
pass stateful out all
|
||||
# Allow all outbound traffic
|
||||
pass stateful out all
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user