diff --git a/share/examples/npf/host-npf.conf b/share/examples/npf/host-npf.conf index be4772492610..50eb320ea5d8 100644 --- a/share/examples/npf/host-npf.conf +++ b/share/examples/npf/host-npf.conf @@ -1,4 +1,4 @@ -# $NetBSD: host-npf.conf,v 1.2 2012/08/22 06:45:17 spz Exp $ +# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $ # # this is an example of NPF rules for a host (i.e., not routing) with # two network interfaces, wired and wifi @@ -7,7 +7,12 @@ # it also does IPSEC on the wifi # $wired_if = "wm0" +$wired_v4 = { inet4(wm0) } +$wired_v6 = { inet6(wm0) } + $wifi_if = "iwn0" +$wifi_v4 = { inet4(iwn0) } +$wifi_v6 = { inet6(iwn0) } $dhcpserver = { 198.51.100.1 } @@ -37,38 +42,38 @@ group (name "wired", interface $wired_if) { pass in final family inet proto icmp all pass in final family inet proto tcp \ - from $dhcpserver port bootps to $wired_if port bootpc + from $dhcpserver port bootps to $wired_v4 port bootpc pass in final family inet proto udp \ - from $dhcpserver port bootps to $wired_if port bootpc + from $dhcpserver port bootps to $wired_v4 port bootpc - pass in final family inet6 proto tcp to $wired_if port ssh + pass in final family inet6 proto tcp to $wired_v6 port ssh pass in final family inet proto tcp flags S/SA \ - from $backupsrv_v4 to $wired_if port $backup_port + from $backupsrv_v4 to $wired_v4 port $backup_port pass in final family inet proto udp \ - from $backupsrv_v4 to $wired_if port $backup_port + from $backupsrv_v4 to $wired_v4 port $backup_port pass in final family inet6 proto tcp flags S/SA \ - from $backupsrv_v6 to $wired_if port $backup_port + from $backupsrv_v6 to $wired_v6 port $backup_port pass in final family inet6 proto udp \ - from $backupsrv_v6 to $wired_if port $backup_port + from $backupsrv_v6 to $wired_v6 port $backup_port - pass stateful in final family inet6 proto udp to $wired_if \ + pass stateful in final family inet6 proto udp to $wired_v6 \ port $services_udp - pass stateful in final family inet proto udp to $wired_if \ + pass stateful in final family inet proto udp to $wired_v6 \ port $services_udp # only SYN packets need to generate state pass stateful out final family inet6 proto tcp flags S/SA \ - from $wired_if apply "rid" + from $wired_v6 apply "rid" pass stateful out final family inet proto tcp flags S/SA \ - from $wired_if apply "rid" + from $wired_v4 apply "rid" # pass the other tcp packets without generating extra state - pass out final family inet6 proto tcp from $wired_if apply "rid" - pass out final family inet proto tcp from $wired_if apply "rid" + pass out final family inet6 proto tcp from $wired_v6 apply "rid" + pass out final family inet proto tcp from $wired_v4 apply "rid" # all other types of traffic, generate state per packet - pass stateful out final family inet6 from $wired_if apply "rid" - pass stateful out final family inet from $wired_if apply "rid" + pass stateful out final family inet6 from $wired_v6 apply "rid" + pass stateful out final family inet from $wired_v4 apply "rid" } @@ -81,37 +86,37 @@ group (name "wifi", interface $wifi_if) { pass in final family inet6 proto ipv6-icmp to ff00::/10 pass out final family inet6 proto ipv6-icmp from ff00::/10 - pass in final family inet6 proto ipv6-icmp to $wifi_if - pass in final family inet proto icmp to $wifi_if + pass in final family inet6 proto ipv6-icmp to $wifi_v6 + pass in final family inet proto icmp to $wifi_v6 pass in final family inet proto tcp \ - from any port bootps to $wifi_if port bootpc + from any port bootps to $wifi_v4 port bootpc pass in final family inet proto udp \ - from any port bootps to $wifi_if port bootpc + from any port bootps to $wifi_v4 port bootpc - pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh + pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh - pass in final family inet6 proto udp to $wifi_if port $services_udp - pass in final family inet proto udp to $wifi_if port $services_udp + pass in final family inet6 proto udp to $wifi_v6 port $services_udp + pass in final family inet proto udp to $wifi_v4 port $services_udp # IPSEC - pass in final family inet6 proto udp to $wifi_if port isakmp - pass in final family inet proto udp to $wifi_if port isakmp + pass in final family inet6 proto udp to $wifi_v6 port isakmp + pass in final family inet proto udp to $wifi_v4 port isakmp pass in family inet6 proto esp all pass in family inet proto esp all # only SYN packets need to generate state pass stateful out final family inet6 proto tcp flags S/SA \ - from $wifi_if apply "rid" + from $wifi_v6 apply "rid" pass stateful out final family inet proto tcp flags S/SA \ - from $wifi_if apply "rid" + from $wifi_v4 apply "rid" # pass the other tcp packets without generating extra state - pass out final family inet6 proto tcp from $wifi_if apply "rid" - pass out final family inet proto tcp from $wifi_if apply "rid" + pass out final family inet6 proto tcp from $wifi_v6 apply "rid" + pass out final family inet proto tcp from $wifi_v4 apply "rid" # all other types of traffic, generate state per packet - pass stateful out final family inet6 from $wifi_if apply "rid" - pass stateful out final family inet from $wifi_if apply "rid" + pass stateful out final family inet6 from $wifi_v6 apply "rid" + pass stateful out final family inet from $wifi_v4 apply "rid" } group (default) { diff --git a/share/examples/npf/soho_gw-npf.conf b/share/examples/npf/soho_gw-npf.conf index 18a78c9ff7e4..e733f122a2e3 100644 --- a/share/examples/npf/soho_gw-npf.conf +++ b/share/examples/npf/soho_gw-npf.conf @@ -1,4 +1,4 @@ -# $NetBSD: soho_gw-npf.conf,v 1.2 2012/08/21 08:25:21 spz Exp $ +# $NetBSD: soho_gw-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $ # # SOHO border # @@ -6,6 +6,9 @@ # IPv4 only # $ext_if = "wm0" +$ext_v4 = inet4(wm0) +$ext_addrs = { ifnet(wm0) } + $int_if = "wm1" # a table to house e.g. block candidates in @@ -20,11 +23,11 @@ $localnet = { 198.51.100.0/24 } # NAT outgoing to the address of the external interface # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), # then the translation address has to be specified explicitly. -map $ext_if dynamic 198.51.100.0/24 -> $ext_if +map $ext_if dynamic 198.51.100.0/24 -> $ext_v4 # NAT traffic arriving on port 9022 of the external interface address # to host 198.51.100.2 port 22 -map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022 +map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022 procedure "log" { log: npflog0 @@ -35,18 +38,18 @@ procedure "rid" { } group (name "external", interface $ext_if) { - pass stateful out final from $ext_if apply "rid" + pass stateful out final from $ext_addrs apply "rid" block in final from <1> - pass stateful in final family inet proto tcp to $ext_if port ssh \ + pass stateful in final family inet proto tcp to $ext_v4 port ssh \ apply "log" - pass stateful in final proto tcp to $ext_if port $services_tcp - pass stateful in final proto udp to $ext_if port $services_udp + pass stateful in final proto tcp to $ext_addrs port $services_tcp + pass stateful in final proto udp to $ext_addrs port $services_udp # Passive FTP - pass stateful in final proto tcp to $ext_if port 49151-65535 + pass stateful in final proto tcp to $ext_addrs port 49151-65535 # Traceroute - pass stateful in final proto udp to $ext_if port 33434-33600 + pass stateful in final proto udp to $ext_addrs port 33434-33600 } group (name "internal", interface $int_if) {