[src/matt-nb6-plus]: src/share/examples/npf Add missing files.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/matt-nb6-plus]: src/share/examples/npf Add missing files.
From: matt <matt%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 22:17:57 +0000
details:   https://anonhg.NetBSD.org/src/rev/ac3d7c24fab2
branches:  matt-nb6-plus
changeset: 774491:ac3d7c24fab2
user:      matt <matt%NetBSD.org@localhost>
date:      Tue Nov 20 23:13:35 2012 +0000

description:
Add missing files.

diffstat:

 share/examples/npf/Makefile         |   12 +++
 share/examples/npf/hashtablefile    |    8 ++
 share/examples/npf/host-npf.conf    |  120 ++++++++++++++++++++++++++++++++++++
 share/examples/npf/soho_gw-npf.conf |   62 ++++++++++++++++++
 share/examples/npf/treetablefile    |    8 ++
 5 files changed, 210 insertions(+), 0 deletions(-)

diffs (230 lines):

diff -r 5028d89b3d69 -r ac3d7c24fab2 share/examples/npf/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/Makefile       Tue Nov 20 23:13:35 2012 +0000
@@ -0,0 +1,12 @@
+#      $NetBSD: Makefile,v 1.1.8.2 2012/11/20 23:13:35 matt Exp $
+
+NOOBJ= # defined
+
+.include <bsd.own.mk>
+
+.if ${MKSHARE} != "no"
+FILES=         host-npf.conf soho_gw-npf.conf hashtablefile treetablefile
+FILESDIR=      /usr/share/examples/npf
+.endif
+
+.include <bsd.prog.mk>
diff -r 5028d89b3d69 -r ac3d7c24fab2 share/examples/npf/hashtablefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/hashtablefile  Tue Nov 20 23:13:35 2012 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: hashtablefile,v 1.1.8.2 2012/11/20 23:13:36 matt Exp $
+#
+# hash tables can only have single IP addresses
+#
+# entry comment 1 (optional)
+192.0.2.7
+# entry comment 2 (optional)
+198.51.100.48
diff -r 5028d89b3d69 -r ac3d7c24fab2 share/examples/npf/host-npf.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/host-npf.conf  Tue Nov 20 23:13:35 2012 +0000
@@ -0,0 +1,120 @@
+# $NetBSD: host-npf.conf,v 1.2.8.2 2012/11/20 23:13:36 matt Exp $
+#
+# this is an example of NPF rules for a host (i.e., not routing) with
+# two network interfaces, wired and wifi
+#
+# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
+# it also does IPSEC on the wifi
+#
+$wired_if = "wm0"
+$wifi_if = "iwn0"
+
+$dhcpserver = { 198.51.100.1 }
+
+# sample udp service
+$services_udp = { ntp }
+
+# sample mixed service
+$backupsrv_v4 = { 198.51.100.11 }
+$backupsrv_v6 = { 2001:0DB8:404::11 }
+$backup_port = { amanda }
+
+# watching a tcpdump of npflog0, when it only logs blocks,
+# can be very helpful for building the rules you actually need
+procedure "log" {
+     log: npflog0
+}
+
+procedure "rid" {
+     normalise: "random-id"
+}
+
+group (name "wired", interface $wired_if) {
+
+       # not being picky about our own address here
+       pass in  final family inet6 proto ipv6-icmp all
+       pass out final family inet6 proto ipv6-icmp all
+       pass in  final family inet  proto icmp      all
+
+       pass in  final family inet proto tcp \
+               from $dhcpserver port bootps to $wired_if port bootpc
+       pass in  final family inet proto udp \
+               from $dhcpserver port bootps to $wired_if port bootpc
+
+       pass in final family inet6 proto tcp to $wired_if port ssh
+
+       pass in final family inet  proto tcp flags S/SA \
+               from $backupsrv_v4 to $wired_if port $backup_port 
+       pass in final family inet  proto udp \
+               from $backupsrv_v4 to $wired_if port $backup_port
+       pass in final family inet6 proto tcp flags S/SA \
+               from $backupsrv_v6 to $wired_if port $backup_port 
+       pass in final family inet6 proto udp \
+               from $backupsrv_v6 to $wired_if port $backup_port
+
+       pass stateful in final family inet6 proto udp to $wired_if \
+               port $services_udp
+       pass stateful in final family inet  proto udp to $wired_if \
+               port $services_udp
+
+       # only SYN packets need to generate state
+       pass stateful out final family inet6 proto tcp flags S/SA \
+               from $wired_if apply "rid" 
+       pass stateful out final family inet  proto tcp flags S/SA \
+               from $wired_if apply "rid" 
+       # pass the other tcp packets without generating extra state
+       pass out final family inet6 proto tcp from $wired_if apply "rid" 
+       pass out final family inet  proto tcp from $wired_if apply "rid" 
+
+       # all other types of traffic, generate state per packet
+       pass stateful out final family inet6 from $wired_if apply "rid" 
+       pass stateful out final family inet  from $wired_if apply "rid" 
+
+}
+
+group (name "wifi", interface $wifi_if) {
+       # linklocal
+       pass in  final family inet6 proto ipv6-icmp  to fe80::/10
+       pass out final family inet6 proto ipv6-icmp from fe80::/10
+
+       # administrative multicasts
+       pass in  final family inet6 proto ipv6-icmp  to ff00::/10
+       pass out final family inet6 proto ipv6-icmp from ff00::/10
+
+       pass in  final family inet6 proto ipv6-icmp to $wifi_if
+       pass in  final family inet  proto icmp      to $wifi_if
+
+       pass in  final family inet proto tcp \
+               from any port bootps to $wifi_if port bootpc
+       pass in  final family inet proto udp \
+               from any port bootps to $wifi_if port bootpc
+
+        pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh 
+
+        pass in final family inet6 proto udp to $wifi_if port $services_udp
+        pass in final family inet  proto udp to $wifi_if port $services_udp
+
+       # IPSEC
+       pass in final family inet6 proto udp to $wifi_if port isakmp
+       pass in final family inet  proto udp to $wifi_if port isakmp
+       pass in family inet6 proto esp all
+       pass in family inet  proto esp all
+
+       # only SYN packets need to generate state
+        pass stateful out final family inet6 proto tcp flags S/SA \
+               from $wifi_if apply "rid" 
+        pass stateful out final family inet  proto tcp flags S/SA \
+               from $wifi_if apply "rid" 
+       # pass the other tcp packets without generating extra state
+        pass out final family inet6 proto tcp from $wifi_if apply "rid" 
+        pass out final family inet  proto tcp from $wifi_if apply "rid" 
+
+       # all other types of traffic, generate state per packet
+        pass stateful out final family inet6 from $wifi_if apply "rid" 
+        pass stateful out final family inet  from $wifi_if apply "rid" 
+}
+
+group (default) {
+       pass final on lo0 all
+       block all apply "log"
+}
diff -r 5028d89b3d69 -r ac3d7c24fab2 share/examples/npf/soho_gw-npf.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Tue Nov 20 23:13:35 2012 +0000
@@ -0,0 +1,62 @@
+# $NetBSD: soho_gw-npf.conf,v 1.2.8.2 2012/11/20 23:13:36 matt Exp $
+#
+# SOHO border
+#
+# This is a natting border gateway/webserver/mailserver/nameserver
+# IPv4 only
+#
+$ext_if = "wm0"
+$int_if = "wm1"
+
+# a table to house e.g. block candidates in
+table <1> type hash file "/usr/share/examples/npf/hashtablefile"
+# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
+table <2> type tree dynamic
+
+$services_tcp = { http, https, smtp, domain, 6000, 9022 }
+$services_udp = { domain, ntp, 6000 }
+$localnet = { 198.51.100.0/24 }
+
+# NAT outgoing to the address of the external interface
+# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
+map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+
+# NAT traffic arriving on port 9022 of the external interface address
+# to host 198.51.100.2 port 22
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+
+procedure "log" {
+       log: npflog0
+}
+
+procedure "rid" {
+       normalise: "random-id"
+}
+
+group (name "external", interface $ext_if) {
+       pass stateful out final from $ext_if apply "rid"
+
+       block in final from <1>
+       pass stateful in final family inet proto tcp to $ext_if port ssh \
+               apply "log"
+       pass stateful in final proto tcp to $ext_if port $services_tcp
+       pass stateful in final proto udp to $ext_if port $services_udp
+
+       # Passive FTP
+       pass stateful in final proto tcp to $ext_if port 49151-65535
+       # Traceroute
+       pass stateful in final proto udp to $ext_if port 33434-33600
+}
+
+group (name "internal", interface $int_if) {
+       block in all
+       pass in final from <2>
+       pass out final all
+}
+
+group (default) {
+       pass final on lo0 all
+       block all
+}
+
diff -r 5028d89b3d69 -r ac3d7c24fab2 share/examples/npf/treetablefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/treetablefile  Tue Nov 20 23:13:35 2012 +0000
@@ -0,0 +1,8 @@
+# $NetBSD: treetablefile,v 1.1.8.2 2012/11/20 23:13:36 matt Exp $
+#
+# tree tables can have address blocks
+#
+# entry comment 1 (optional)
+198.51.100.40/30
+# entry comment 2 (optional)
+192.0.2.7
Prev by Date: [src/matt-nb6-plus]: src/share/mk Default to binutils 2.21
Next by Date: [src/matt-nb6-plus]: src/tools/binutils Make sure binutils is using sysroot r...
Previous by Thread: [src/matt-nb6-plus]: src/share/mk Default to binutils 2.21
Next by Thread: [src/matt-nb6-plus]: src/tools/binutils Make sure binutils is using sysroot r...
Indexes:
Home | Main Index | Thread Index | Old Index