Provide a simpler config for a host which permits any traffic from the host out,
and small subset of traffic in (DHCP (v4 and v6), All ICMPv6, ICMP echo requests, traceroute, mDNS).
This commit is contained in:
sevan
parent
04559c5d43
commit
d249bc88a9
|
|
@ -1,131 +1,66 @@
|
|||
# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $
|
||||
# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $
|
||||
#
|
||||
# this is an example of NPF rules for a host (i.e., not routing) with
|
||||
# two network interfaces, wired and wifi
|
||||
# Simple ruleset for a host with (i.e., not routing) two interfaces,
|
||||
# ethernet and wifi.
|
||||
#
|
||||
# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
|
||||
# it also does IPSEC on the wifi
|
||||
# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic
|
||||
# are permitted, inbound, on either interface.
|
||||
#
|
||||
# SSH to the host is allowed in via the ethernet interface.
|
||||
# blacklistd(8) is used to prevent SSH bruteforce attempts.
|
||||
#
|
||||
# No specific rules for the wifi interface.
|
||||
#
|
||||
# All traffic from the host is permitted, outbound, on either interface.
|
||||
#
|
||||
|
||||
$wired_if = "wm0"
|
||||
$wired_v4 = { inet4(wm0) }
|
||||
$wired_v6 = { inet6(wm0) }
|
||||
$wifi_if = "iwn0"
|
||||
$wired_addrs= ifaddrs(wm0)
|
||||
$wifi_addrs = ifaddrs(iwn0)
|
||||
|
||||
$wifi_if = "iwn0"
|
||||
$wifi_v4 = { inet4(iwn0) }
|
||||
$wifi_v6 = { inet6(iwn0) }
|
||||
alg "icmp"
|
||||
|
||||
$dhcpserver = { 198.51.100.1 }
|
||||
|
||||
# sample udp service
|
||||
$services_udp = { ntp }
|
||||
|
||||
# sample mixed service
|
||||
$backupsrv_v4 = { 198.51.100.11 }
|
||||
$backupsrv_v6 = { 2001:0DB8:404::11 }
|
||||
$backup_port = { amanda }
|
||||
|
||||
# watching a tcpdump of npflog0, when it only logs blocks,
|
||||
# can be very helpful for building the rules you actually need
|
||||
procedure "log" {
|
||||
log: npflog0
|
||||
log: npflog0
|
||||
}
|
||||
|
||||
# make a service running on a high port on 127.0.0.1 available on $wired_if
|
||||
# see also the pass rules below
|
||||
map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80
|
||||
|
||||
group "wired" on $wired_if {
|
||||
# Placeholder for blacklistd (configuration separate) to add blocked hosts
|
||||
ruleset "blacklistd"
|
||||
|
||||
# not being picky about our own address here
|
||||
pass in final family inet6 proto ipv6-icmp all
|
||||
pass out final family inet6 proto ipv6-icmp all
|
||||
pass in final family inet4 proto icmp all
|
||||
|
||||
pass in final family inet4 proto tcp \
|
||||
from $dhcpserver port bootps to $wired_v4 port bootpc
|
||||
pass in final family inet4 proto udp \
|
||||
from $dhcpserver port bootps to $wired_v4 port bootpc
|
||||
|
||||
pass in final family inet6 proto tcp to $wired_v6 port ssh
|
||||
|
||||
# the port mapping
|
||||
# Note the filter sees packets before translation
|
||||
pass in final family inet4 proto tcp from any to $wired_v4 port 80
|
||||
pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any
|
||||
|
||||
pass in final family inet4 proto tcp flags S/SA \
|
||||
from $backupsrv_v4 to $wired_v4 port $backup_port
|
||||
pass in final family inet4 proto udp \
|
||||
from $backupsrv_v4 to $wired_v4 port $backup_port
|
||||
pass in final family inet6 proto tcp flags S/SA \
|
||||
from $backupsrv_v6 to $wired_v6 port $backup_port
|
||||
pass in final family inet6 proto udp \
|
||||
from $backupsrv_v6 to $wired_v6 port $backup_port
|
||||
|
||||
pass stateful in final family inet6 proto udp to $wired_v6 \
|
||||
port $services_udp
|
||||
pass stateful in final family inet4 proto udp to $wired_v4 \
|
||||
port $services_udp
|
||||
|
||||
# only SYN packets need to generate state
|
||||
pass stateful out final family inet6 proto tcp flags S/SA \
|
||||
from $wired_v6
|
||||
pass stateful out final family inet4 proto tcp flags S/SA \
|
||||
from $wired_v4
|
||||
# pass the other tcp packets without generating extra state
|
||||
pass out final family inet6 proto tcp from $wired_v6
|
||||
pass out final family inet4 proto tcp from $wired_v4
|
||||
|
||||
# all other types of traffic, generate state per packet
|
||||
pass stateful out final family inet6 from $wired_v6
|
||||
pass stateful out final family inet4 from $wired_v4
|
||||
# Allow SSH on wired interface
|
||||
pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
|
||||
|
||||
}
|
||||
|
||||
group "wifi" on $wifi_if {
|
||||
# linklocal
|
||||
pass in final family inet6 proto ipv6-icmp to fe80::/10
|
||||
pass out final family inet6 proto ipv6-icmp from fe80::/10
|
||||
|
||||
# administrative multicasts
|
||||
pass in final family inet6 proto ipv6-icmp to ff00::/10
|
||||
pass out final family inet6 proto ipv6-icmp from ff00::/10
|
||||
|
||||
pass in final family inet6 proto ipv6-icmp to $wifi_v6
|
||||
pass in final family inet4 proto icmp to $wifi_v4
|
||||
|
||||
pass in final family inet4 proto tcp \
|
||||
from any port bootps to $wifi_v4 port bootpc
|
||||
pass in final family inet4 proto udp \
|
||||
from any port bootps to $wifi_v4 port bootpc
|
||||
|
||||
pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
|
||||
|
||||
pass in final family inet6 proto udp to $wifi_v6 port $services_udp
|
||||
pass in final family inet4 proto udp to $wifi_v4 port $services_udp
|
||||
|
||||
# IPSEC
|
||||
pass in final family inet6 proto udp to $wifi_v6 port isakmp
|
||||
pass in final family inet4 proto udp to $wifi_v4 port isakmp
|
||||
pass in family inet6 proto esp all
|
||||
pass in family inet4 proto esp all
|
||||
|
||||
# only SYN packets need to generate state
|
||||
pass stateful out final family inet6 proto tcp flags S/SA \
|
||||
from $wifi_v6
|
||||
pass stateful out final family inet4 proto tcp flags S/SA \
|
||||
from $wifi_v4
|
||||
# pass the other tcp packets without generating extra state
|
||||
pass out final family inet6 proto tcp from $wifi_v6
|
||||
pass out final family inet4 proto tcp from $wifi_v4
|
||||
|
||||
# all other types of traffic, generate state per packet
|
||||
pass stateful out final family inet6 from $wifi_v6
|
||||
pass stateful out final family inet4 from $wifi_v4
|
||||
}
|
||||
|
||||
group default {
|
||||
pass final on lo0 all
|
||||
block all apply "log"
|
||||
# Default deny, otherwise last matching rule wins
|
||||
block all apply "log"
|
||||
|
||||
# Don't block loopback
|
||||
pass on lo0 all
|
||||
|
||||
# Allow incoming DHCP server responses
|
||||
pass in family inet4 proto udp from any port bootps to any port bootpc
|
||||
pass in family inet6 proto udp from any to any port "dhcpv6-client"
|
||||
|
||||
# Allow IPv6 ICMP
|
||||
pass family inet6 proto ipv6-icmp all
|
||||
|
||||
# Allow incoming IPv4 pings
|
||||
pass in family inet4 proto icmp icmp-type echo all
|
||||
|
||||
# Allow being tracerouted
|
||||
pass in proto udp to any port 33434-33600
|
||||
|
||||
# Allow incoming mDNS traffic from neighbours
|
||||
pass in proto udp to any port mdns
|
||||
|
||||
# Allow all outbound traffic
|
||||
pass stateful out all
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue