[src/trunk]: src/share/examples/npf - match up comment and interface identifiers

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/examples/npf - match up comment and interface identifiers
From: spz <spz%NetBSD.org@localhost>
Date: Tue, 31 Jul 2018 18:32:40 +0000

details:   https://anonhg.NetBSD.org/src/rev/9a65df86c1fb
branches:  trunk
changeset: 329628:9a65df86c1fb
user:      spz <spz%NetBSD.org@localhost>
date:      Sat May 31 12:33:14 2014 +0000

description:
- match up comment and interface identifiers
- use RFC5737 documentation prefixes
- use a variable for the RFC1918 private address ranges

diffstat:

 share/examples/npf/l2tp_gw-npf.conf |  25 +++++++++++--------------
 1 files changed, 11 insertions(+), 14 deletions(-)

diffs (53 lines):

diff -r 8eff4d6bfbb0 -r 9a65df86c1fb share/examples/npf/l2tp_gw-npf.conf
--- a/share/examples/npf/l2tp_gw-npf.conf       Sat May 31 11:54:37 2014 +0000
+++ b/share/examples/npf/l2tp_gw-npf.conf       Sat May 31 12:33:14 2014 +0000
@@ -1,17 +1,19 @@
 # ex0 - (internal) network interface
-#      192.168.2.254/24
-# hme0 - (external) connection to Two Sigma
-#      74.66.0.142/24
+#      192.0.2.254/24
+# hme0 - (external) connection to Peer
+#      198.51.100.142/24
 
-$int_if = "sk0"
-$ext_if = "bge0"
+$int_if = "ex0"
+$ext_if = "hme0"
+
+$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
 
 alg "icmp"
 
 #
 # NAT for all.
 #
-map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if)
+map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if)
 
 #table <1> type tree file "/etc/npf_problem_sites"
 
@@ -37,20 +39,15 @@
        #
        # Block IANA-reserved addresses from entering or exiting
        #
-       block in final from 10.0.0.0/8 apply "log"
-       block in final from 172.16.0.0/12 apply "log"
-       block in final from 192.168.0.0/16 apply "log"
-       #
-       block out final to 10.0.0.0/8 apply "log"
-       block out final to 172.16.0.0/12 apply "log"
-       block out final to 192.168.0.0/16 apply "log"
+       block in final from $private_addr apply "log"
+       block out final to $private_addr apply "log"
        #
        pass stateful out final proto tcp all
        pass stateful out final proto udp all
        pass stateful out final proto icmp all
        pass stateful out final proto ipv6-icmp all
 
-       block in final proto tcp to 192.168.2.255 apply "log"
+       block in final proto tcp to 192.0.2.255 apply "log"
 
        #
        # Prevent IP spoofing attacks on the firewall.

Prev by Date: [src/trunk]: src/share/examples/npf example for port remapping added
Next by Date: [src/trunk]: src/external/bsd/llvm/dist/clang Import Clang 3.5svn r209886.
Previous by Thread: [src/trunk]: src/share/examples/npf example for port remapping added
Next by Thread: [src/trunk]: src/external/bsd/llvm/dist/clang Import Clang 3.5svn r209886.
Indexes:

Home | Main Index | Thread Index | Old Index