Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/share/examples/npf add an L2TP Gateway example.



details:   https://anonhg.NetBSD.org/src/rev/1e8fd4ec1781
branches:  trunk
changeset: 787622:1e8fd4ec1781
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Jun 26 21:33:56 2013 +0000

description:
add an L2TP Gateway example.

diffstat:

 share/examples/npf/Makefile     |    3 +-
 share/examples/npf/l2tp-gw.conf |  146 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 148 insertions(+), 1 deletions(-)

diffs (167 lines):

diff -r e2ccd6044b66 -r 1e8fd4ec1781 share/examples/npf/Makefile
--- a/share/examples/npf/Makefile       Wed Jun 26 20:52:28 2013 +0000
+++ b/share/examples/npf/Makefile       Wed Jun 26 21:33:56 2013 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: Makefile,v 1.1 2012/08/22 06:45:16 spz Exp $
+#      $NetBSD: Makefile,v 1.2 2013/06/26 21:33:56 christos Exp $
 
 NOOBJ= # defined
 
@@ -6,6 +6,7 @@
 
 .if ${MKSHARE} != "no"
 FILES=         host-npf.conf soho_gw-npf.conf hashtablefile treetablefile
+FILES+=                l2tp-gw.conf
 FILESDIR=      /usr/share/examples/npf
 .endif
 
diff -r e2ccd6044b66 -r 1e8fd4ec1781 share/examples/npf/l2tp-gw.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/l2tp-gw.conf   Wed Jun 26 21:33:56 2013 +0000
@@ -0,0 +1,146 @@
+# ex0 - (internal) network interface
+#      192.168.2.254/24
+# hme0 - (external) connection to Two Sigma
+#      74.66.0.142/24
+
+$int_if = "sk0"
+$ext_if = "bge0"
+
+alg "icmp"
+
+#
+# NAT for all.
+#
+map $ext_if dynamic 192.168.1.0/24 -> inet4($ext_if)
+
+#table <1> type tree file "/etc/npf_problem_sites"
+
+procedure "log" {
+       log: npflog0
+}
+
+group (name "external", interface $ext_if) {
+       #
+       # Allow DHCP requests (even to reserved addresses).
+       #
+       pass out final proto udp from any port bootpc to any port bootps
+       pass in final proto udp from any port bootps to any port bootpc
+       pass in final proto udp from any port bootps to 255.255.255.255 port bootpc
+       #
+       # Allow DNS queries
+       #
+       pass stateful out final proto udp to any port domain
+
+       # Problem sites.
+       #block in final from <1> apply "log"
+
+       #
+       # Block IANA-reserved addresses from entering or exiting
+       #
+       block in final from 10.0.0.0/8 apply "log"
+       block in final from 172.16.0.0/12 apply "log"
+       block in final from 192.168.0.0/16 apply "log"
+       #
+       block out final to 10.0.0.0/8 apply "log"
+       block out final to 172.16.0.0/12 apply "log"
+       block out final to 192.168.0.0/16 apply "log"
+       #
+       pass stateful out final proto tcp all
+       pass stateful out final proto udp all
+       pass stateful out final proto icmp all
+       pass stateful out final proto ipv6-icmp all
+
+       block in final proto tcp to 192.168.2.255 apply "log"
+
+       #
+       # Prevent IP spoofing attacks on the firewall.
+       #
+       block in final from 127.0.0.1 apply "log"
+
+       #
+       # L2TP/IPSEC-NAT-T Tunnels.
+       #
+       pass in final proto udp from any to inet4($ext_if) port isakmp
+       pass in final proto esp from any to inet4($ext_if)
+       pass out final proto esp from any to inet4($ext_if)
+       pass in final proto ah from any to inet4($ext_if)
+       pass in final from any to inet4($ext_if) port "ipsec-nat-t"
+
+       #
+       # Pass multicast.
+       # IGMP uses 224.0.0.1.
+       #
+       pass in final proto igmp all
+       pass in final from any to 224.0.0.0/4
+
+       #
+       # Pass established connections.
+       #
+       pass in final proto tcp flags A/A all
+       pass in final proto tcp flags R/R all
+       #
+       # VNC
+       #
+       pass in final proto tcp from any to any port 5500
+
+       #
+       # Web servers
+       #
+       #pass in final proto tcp from any to <A>/<M> port http
+
+       #
+       # Services on localhost.
+       #
+       #pass in final proto udp from any port ntp
+       #pass in final to any port imap
+       #pass in final to any port domain
+       #pass in final proto tcp to any port smtp
+       #pass in final proto tcp to any port auth
+       #pass in final proto tcp to any port ssh
+       #pass in final proto tcp to any port bgp
+       #pass in final proto tcp to any port ftp
+       #pass in final proto tcp to any port "ftp-data"
+       #pass in final proto udp to any port isakmp
+       #pass in final proto udp to any port 8001
+       #pass in final proto tcp to inet4($ext_if) port www
+
+       #
+       # Handle traceroute gracefully for up-to 30 hops away.
+       # FIXME: port-unr for ICMP is not yet supported.
+       #
+       block return-icmp in final proto udp to any port 33433-33524 apply "log"
+
+       #
+       # Only allow selected ICMP types.
+       #
+       pass in final proto icmp icmp-type echo all
+       pass in final proto icmp icmp-type timxceed all
+       pass in final proto icmp icmp-type unreach all
+       pass in final proto icmp icmp-type echoreply all
+       pass in final proto icmp icmp-type sourcequench all
+       pass in final proto icmp icmp-type paramprob all
+       pass in final proto ipv6-icmp all
+
+       #
+       # Send back a reset for new connections on tcp.
+       #
+       block return-rst in final proto tcp flags S/SA all apply "log"
+}
+
+group (name "internal", interface $int_if) {
+       # Pass everything to internal networks,
+       # should be ok, because we are nat'ed.
+       pass final all
+}
+
+group (default) {
+       # Loopback interface should allows packets to traverse it.
+       pass final on lo0 all
+       # For one L2TP tunnel, needs interface pre-created, post-destroyed
+       pass final on ppp0 all
+
+       #
+       # Block everything by default.
+       #
+       block final all apply "log"
+}



Home | Main Index | Thread Index | Old Index