Rename the block table to something else to make it easier to differentiate

between action and name. Use this table as the example for populating by npfctl. Drop the int-block table, it's quite cumbersome to have a firewall which needs the internal network lists added if reboot. Use the localnet variable to indicated which network we should pass in traffic from instead.
2019-11-18 22:27:27 +00:00 · 2019-11-18 22:27:27 +00:00 · f692f6d8b0
commit f692f6d8b0
parent 404ee5b933
1 changed files with 7 additions and 8 deletions
--- a/share/examples/npf/soho_gw-npf.conf
+++ b/share/examples/npf/soho_gw-npf.conf
@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.19 2019/09/22 19:51:18 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.20 2019/11/18 22:27:27 sevan Exp $
 #
 # SOHO border
 #
@ -12,10 +12,9 @@ $ext_addrs = ifaddrs(wm0)

 $int_if = "wm1"

-# a table to house e.g. block candidates in
-table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
-# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
-table <int-block> type lpm
+# a "naughty" step^W table to house blocked candidates in
+# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
+table <naughty> type ipset

 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@ -39,8 +38,8 @@ group "external" on $ext_if {
 	# Allow all outbound traffic
 	pass stateful out all

-	# Block inbound traffic from those on the block table 
-	block in from <block>
+	# Block inbound traffic from those on the naughty table 
+	block in from <naughty>

 	# Placeholder for blacklistd (configuration separate) to add blocked hosts
 	ruleset "blacklistd"
@ -61,7 +60,7 @@ group "external" on $ext_if {

 group "internal" on $int_if {
 	# Allow inbound traffic from LAN
-	pass in from <int-block>
+	pass in from $localnet

 	# All outbound traffic to LAN
 	pass out all