[src/trunk]: src/etc Add an initial ruleset and rc script for NPF to protect ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/etc Add an initial ruleset and rc script for NPF to protect ...
From: sevan <sevan%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 11:55:45 +0000

details:   https://anonhg.NetBSD.org/src/rev/d678e199b38c
branches:  trunk
changeset: 840309:d678e199b38c
user:      sevan <sevan%NetBSD.org@localhost>
date:      Tue Apr 02 01:50:32 2019 +0000

description:
Add an initial ruleset and rc script for NPF to protect host during early stage
of boot, similar to what is currently available for PF.

diffstat:

 etc/defaults/npf.boot.conf |  37 +++++++++++++++++++++++++++++++++++++
 etc/rc.d/npf_boot          |  37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 0 deletions(-)

diffs (82 lines):

diff -r c349d64416d0 -r d678e199b38c etc/defaults/npf.boot.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/defaults/npf.boot.conf        Tue Apr 02 01:50:32 2019 +0000
@@ -0,0 +1,37 @@
+#      $NetBSD: npf.boot.conf,v 1.1 2019/04/02 01:50:32 sevan Exp $
+#
+# /etc/defaults/npf.boot.conf --
+#      initial configuration for npf(4)
+#
+# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
+# EDIT /etc/npf.boot.conf INSTEAD.
+#
+
+
+set bpf.jit off
+
+group default {
+# Default deny.
+block all
+
+# Don't block loopback.
+pass on lo0 all
+
+# Allow outgoing DNS.
+pass stateful out to any port domain
+
+# Allow outgoing ping request, might be used by a DHCP client to validate
+# old (but valid) leases in case it needs to fall back to such a lease
+# (the DHCP server can be down or not responding).
+pass stateful out proto icmp icmp-type echo all
+
+# Allow IPv6 router/neighbor solicitation and advertisement.
+pass out  family inet6 proto ipv6-icmp icmp-type rtsol all
+pass in family inet6 proto ipv6-icmp icmp-type rtadv all
+pass out  family inet6 proto ipv6-icmp icmp-type neighsol all
+pass in family inet6 proto ipv6-icmp icmp-type neighadv all
+
+# Enable CARP, to avoid spurious failovers.
+pass proto carp all
+
+}
diff -r c349d64416d0 -r d678e199b38c etc/rc.d/npf_boot
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/rc.d/npf_boot Tue Apr 02 01:50:32 2019 +0000
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# $NetBSD: npf_boot,v 1.1 2019/04/02 01:50:32 sevan Exp $
+#
+
+# PROVIDE: npf_boot
+# REQUIRE: root bootconf mountcritlocal tty
+# BEFORE: network
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="npf_boot"
+rcvar="npf"
+start_cmd="npf_boot_start"
+stop_cmd=":"
+
+npf_boot_start()
+{
+       if [ "$autoboot" != "yes" ]; then
+               err 1 "This script should only be executed at boot time."
+       fi
+
+       if [ -f /etc/npf.boot.conf ]; then
+               /sbin/npfctl reload /etc/npf.boot.conf
+       elif [ -f /etc/defaults/npf.boot.conf ]; then
+               /sbin/npfctl reload /etc/defaults/npf.boot.conf
+       else
+               warn "can't load initial npf rules; npf start aborted."
+               stop_boot
+               exit 1
+       fi
+
+       /sbin/npfctl start
+}
+
+load_rc_config $name
+run_rc_command "$1"

Prev by Date: [src/trunk]: src/share/misc Oops, wrong millennium :)
Next by Date: [src/trunk]: src/external/gpl3/gcc/dist/gcc/config/vax remove debugging code
Previous by Thread: [src/trunk]: src/share/misc Oops, wrong millennium :)
Next by Thread: [src/trunk]: src/external/gpl3/gcc/dist/gcc/config/vax remove debugging code
Indexes:

Home | Main Index | Thread Index | Old Index