342 lines
10 KiB
Groff
342 lines
10 KiB
Groff
.\" $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $
|
|
.\"
|
|
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This material is based upon work partially supported by The
|
|
.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd February 6, 2014
|
|
.Dt NPF.CONF 5
|
|
.Os
|
|
.Sh NAME
|
|
.Nm npf.conf
|
|
.Nd NPF packet filter configuration file
|
|
.\" -----
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is the default configuration file for the NPF packet filter.
|
|
.Pp
|
|
This manual page serves as a reference for editing
|
|
.Nm .
|
|
Please refer to the official NPF documentation for comprehensive and
|
|
in-depth information.
|
|
.Pp
|
|
There are multiple structural elements
|
|
.Nm
|
|
may contain:
|
|
.Cd variable
|
|
and
|
|
.Cd table
|
|
definitions (with or without content), abstraction
|
|
.Cd groups ,
|
|
packet filtering
|
|
.Cd rules ,
|
|
.Cd map
|
|
rules for address translation and
|
|
.Cd procedure
|
|
definitions to call on filtered packets.
|
|
The minimal
|
|
.Nm
|
|
must contain a mandatory
|
|
.Cd default group .
|
|
.Sh SYNTAX
|
|
.Ss Variables
|
|
Variables are specified using the dollar ($) sign, which is used both
|
|
in definitions and uses of a variable.
|
|
Variables are defined by assigning a value to them as follows:
|
|
.Bd -literal
|
|
$var1 = 10.0.0.1
|
|
.Ed
|
|
.Pp
|
|
A variable may also be defined as a set:
|
|
.Bd -literal
|
|
$var2 = { 10.0.0.1, 10.0.0.2 }
|
|
.Ed
|
|
.Pp
|
|
Common variable definitions are for IP addresses, networks, ports,
|
|
and interfaces.
|
|
.Ss Tables
|
|
Tables are specified using a name between angle brackets
|
|
\*[Lt] and \*[Gt].
|
|
The following is an example of table definition:
|
|
.Bd -literal
|
|
table <black> type hash dynamic
|
|
.Pp
|
|
.Ed
|
|
Currently, tables support three storage types: "hash", "tree", or "cdb".
|
|
They can also be "dynamic" or static i.e. loaded from the specified file.
|
|
.Pp
|
|
The file should contain a list of IP addresses and/or networks in the form of:
|
|
.Bd -literal
|
|
10.0.0.0/24
|
|
10.1.1.1
|
|
.Ed
|
|
.Pp
|
|
Tables of type "hash" and "cdb" can only contain IP addresses.
|
|
Also, the latter can only be static.
|
|
.Ss Interfaces
|
|
Interfaces can be specified as the values of the variables:
|
|
.Pp
|
|
.Bd -literal
|
|
$pub_if_list = { inet4(wm0), inet4(wm1) }
|
|
.Ed
|
|
.Pp
|
|
In the context of filtering, an interface provides a list of its
|
|
all IP addresses, including IPv4 and IPv6.
|
|
Specific interface addresses can be selected by the family, e.g.:
|
|
.Bd -literal
|
|
$pub_if4 = inet4(wm0)
|
|
$pub_if46 = { inet4(wm0), inet6(wm0) }
|
|
.Ed
|
|
.Ss Groups
|
|
Groups may have the following options: name, interface, and direction.
|
|
They are defined in the following form:
|
|
.Pp
|
|
.Bd -literal
|
|
group "my-name" in on wm0 {
|
|
# List of rules
|
|
}
|
|
.Ed
|
|
.Ss Rules
|
|
With a rule statement NPF is instructed to
|
|
.Cd pass
|
|
or
|
|
.Cd block
|
|
a packet depending on packet header information, transit direction and
|
|
interface it arrives on, either immediately upon match (keyword
|
|
.Cd final )
|
|
or using the last match.
|
|
The rule can also instruct NPF to create an entry in the state table
|
|
when passing the packet, to notify the sender when blocking it, and
|
|
to apply a procedure to the packet (e.g. "log") in either case.
|
|
.Pp
|
|
A "fully-featured" rule would for example be:
|
|
.Bd -literal
|
|
pass stateful in final family inet proto tcp flags S/SA \\
|
|
from $source port $sport to $dest port $dport apply "someproc"
|
|
.Ed
|
|
.Pp
|
|
Any protocol in
|
|
.Pa /etc/protocols
|
|
can be specified.
|
|
Further packet
|
|
specification at present is limited to protocol TCP understanding flags,
|
|
TCP and UDP understanding source and destination ports, and ICMP and
|
|
IPv6-ICMP understanding icmp-type.
|
|
.Pp
|
|
Alternatively, NPF supports
|
|
.Xr pcap-filter 7
|
|
syntax, for example:
|
|
.Bd -literal
|
|
block out final pcap-filter "tcp and dst 10.1.1.252"
|
|
.Ed
|
|
.Pp
|
|
Fragments are not selectable since NPF always reassembles packets
|
|
before further processing.
|
|
.Ss Map
|
|
Network Address Translation (NAT) is expressed in a form of segment mapping.
|
|
At present, only dynamic translation is supported.
|
|
The following mapping types are available:
|
|
.Pp
|
|
.Bl -tag -width <-> -compact
|
|
.It Pa ->
|
|
outbound NAT (translation of the source)
|
|
.It Pa <-
|
|
inbound NAT (translation of the destination)
|
|
.It Pa <->
|
|
bi-directional NAT (combination of inbound and outbound NAT)
|
|
.El
|
|
.Pp
|
|
The following would translate the source to the IP address specified
|
|
by the $pub_ip for the packets on the interface $ext_if.
|
|
.Bd -literal
|
|
map $ext_if dynamic 10.1.1.0/24 -> $pub_ip
|
|
.Ed
|
|
.Pp
|
|
Translations are implicitly filtered by limiting the operation to the
|
|
network segments specified, that is, translation would be performed only
|
|
on packets originating from 10.1.1.0/24 network.
|
|
Explicit filter criteria can be specified using "pass <criteria>" as
|
|
an additional option of the mapping.
|
|
.Ss Procedures
|
|
A rule procedure is defined as a collection of extension calls (it
|
|
may have none).
|
|
Every extension call has a name and a list of options in the form of
|
|
key-value pairs.
|
|
Depending on the call, the key might represent the argument and the value
|
|
might be optional.
|
|
For example:
|
|
.Bd -literal
|
|
procedure "someproc" {
|
|
log: npflog0
|
|
normalize: "random-id", "min-ttl" 64
|
|
}
|
|
.Ed
|
|
.Pp
|
|
In this case, the procedure calls the logging and normalisation modules.
|
|
.Ss Misc
|
|
Text after a hash
|
|
.Pq Sq #
|
|
character is considered a comment.
|
|
The backslash
|
|
.Pq Sq \e
|
|
character at the end of a line marks a continuation line,
|
|
i.e., the next line is considered an extension of the present line.
|
|
.Sh GRAMMAR
|
|
The following is a non-formal BNF-like definition of the grammar.
|
|
The definition is simplified and is intended to be human readable,
|
|
therefore it does not strictly represent the full syntax, which
|
|
is more flexible.
|
|
.Bd -literal
|
|
; Syntax of a single line. Lines can be separated by LF (\\n) or
|
|
; a semicolon. Comments start with a hash (#) character.
|
|
|
|
syntax = var-def | table-def | map | group | rproc | comment
|
|
|
|
; Variable definition. Names can be alpha-numeric, including "_" character.
|
|
|
|
var-name = "$" . string
|
|
interface = interface-name | var-name
|
|
var-def = var "=" ( var-value | "{" value *[ "," value ] "}" )
|
|
|
|
; Table definition. Table ID shall be numeric. Path is in the double quotes.
|
|
|
|
table-id = \*[Lt]table-name\*[Gt]
|
|
table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" )
|
|
( "dynamic" | "file" path )
|
|
|
|
; Mapping for address translation.
|
|
|
|
map = "map" interface ( "static" | "dynamic" )
|
|
net-seg ( "->" | "<-" | "<->" ) net-seg
|
|
[ "pass" filt-opts ]
|
|
|
|
; Rule procedure definition. The name should be in the double quotes.
|
|
;
|
|
; Each call can have its own options in a form of key-value pairs.
|
|
; Both key and values may be strings (either in double quotes or not)
|
|
; and numbers, depending on the extension.
|
|
|
|
proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}"
|
|
proc-opts = key " " val [ "," proc-opts ]
|
|
proc-call = call-name ":" proc-opts new-line
|
|
|
|
; Group definition and the rule list.
|
|
|
|
group = "group" ( "default" | group-opts ) "{" rule-list "}"
|
|
group-opts = name-string [ "in" | "out" ] [ "on" interface ]
|
|
rule-list = [ rule new-line ] rule-list
|
|
|
|
npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ]
|
|
( "all" | filt-opts )
|
|
static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ]
|
|
[ "in" | out" ] [ "final" ] [ "on" interface ]
|
|
( npf-filter | "pcap-filter" pcap-filter-expr )
|
|
[ "apply" proc-name ]
|
|
|
|
dynamic-ruleset = "ruleset" group-opts
|
|
rule = static-rule | dynamic-ruleset
|
|
|
|
block-opts = "return-rst" | "return-icmp" | "return"
|
|
family-opt = "inet" | "inet6"
|
|
proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] |
|
|
"icmp-type" type [ "code" icmp-code ]
|
|
|
|
addr-mask = addr [ "/" mask ]
|
|
filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ]
|
|
filt-addr = [ interface | var-name | addr-mask | table-id | "any" ]
|
|
filt-port = "port" ( port-num | port-from "-" port-to | var-name )
|
|
.Ed
|
|
.\" -----
|
|
.Sh FILES
|
|
.Bl -tag -width /usr/share/examples/npf -compact
|
|
.It Pa /dev/npf
|
|
control device
|
|
.It Pa /etc/npf.conf
|
|
default configuration file
|
|
.It Pa /usr/share/examples/npf
|
|
directory containing further examples
|
|
.El
|
|
.\" -----
|
|
.Sh EXAMPLES
|
|
.Bd -literal
|
|
$ext_if = { inet4(wm0), inet6(wm0) }
|
|
$int_if = { inet4(wm1), inet6(wm1) }
|
|
|
|
table <black> type hash file "/etc/npf_blacklist"
|
|
table <limited> type tree dynamic
|
|
|
|
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
|
|
$services_udp = { domain, ntp, 6000 }
|
|
$localnet = { 10.1.1.0/24 }
|
|
|
|
# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
|
|
# then the translation address has to be specified explicitly.
|
|
map $ext_if dynamic 10.1.1.0/24 -> $ext_if
|
|
map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022
|
|
|
|
procedure "log" {
|
|
# Note: npf_ext_log kernel module should be loaded, if not built-in.
|
|
# Also, the interface created, e.g.: ifconfig npflog0 create
|
|
log: npflog0
|
|
}
|
|
|
|
group "external" on $ext_if {
|
|
pass stateful out final all
|
|
|
|
block in final from \*[Lt]black\*[Gt]
|
|
pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
|
|
pass stateful in final proto tcp to $ext_if port $services_tcp
|
|
pass stateful in final proto udp to $ext_if port $services_udp
|
|
pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP
|
|
pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute
|
|
}
|
|
|
|
group "internal" on $int_if {
|
|
block in all
|
|
block in final from \*[Lt]limited\*[Gt]
|
|
|
|
# Ingress filtering as per RFC 2827.
|
|
pass in final from $localnet
|
|
pass out final all
|
|
}
|
|
|
|
group default {
|
|
pass final on lo0 all
|
|
block all
|
|
}
|
|
.Ed
|
|
.\" -----
|
|
.Sh SEE ALSO
|
|
.Xr bpf 4 ,
|
|
.Xr pcap-filter 7 ,
|
|
.Xr npfctl 8
|
|
.Sh HISTORY
|
|
NPF first appeared in
|
|
.Nx 6.0 .
|
|
.Sh AUTHORS
|
|
NPF was designed and implemented by
|
|
.An Mindaugas Rasiukevicius .
|