Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-9]: src/share/examples/npf Pull up following revision(s) (request...



details:   https://anonhg.NetBSD.org/src/rev/8c7b2f2149a0
branches:  netbsd-9
changeset: 1001147:8c7b2f2149a0
user:      martin <martin%NetBSD.org@localhost>
date:      Tue Nov 19 10:56:35 2019 +0000

description:
Pull up following revision(s) (requested by sevan in ticket #444):

        share/examples/npf/soho_gw-npf.conf: revision 1.13
        share/examples/npf/soho_gw-npf.conf: revision 1.14
        share/examples/npf/soho_gw-npf.conf: revision 1.15
        share/examples/npf/soho_gw-npf.conf: revision 1.16
        share/examples/npf/soho_gw-npf.conf: revision 1.17
        share/examples/npf/soho_gw-npf.conf: revision 1.18
        share/examples/npf/soho_gw-npf.conf: revision 1.19
        share/examples/npf/soho_gw-npf.conf: revision 1.20

Drop the final keyword to use the default policy of last matching rule wins
default policy is to blockall

Add descriptions for all rules and make use of localnet variable in
place of direct IP address
improve description

pastos

Passive FTP works as a client without this and we're not hosting an FTP
server (port are not listed in services_tcp)

Add support for blacklistd

Rename the block table to something else to make it easier to differentiate
between action and name. Use this table as the example for populating by
npfctl.

Drop the int-block table, it's quite cumbersome to have a firewall which
needs the internal network lists added if reboot. Use the localnet
variable to indicated which network we should pass in traffic from instead.

diffstat:

 share/examples/npf/soho_gw-npf.conf |  57 ++++++++++++++++++++++++------------
 1 files changed, 37 insertions(+), 20 deletions(-)

diffs (95 lines):

diff -r 1fe45745174b -r 8c7b2f2149a0 share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf       Tue Nov 19 06:21:24 2019 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Tue Nov 19 10:56:35 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.12 2019/04/11 10:17:21 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.12.2.1 2019/11/19 10:56:35 martin Exp $
 #
 # SOHO border
 #
@@ -12,10 +12,9 @@
 
 $int_if = "wm1"
 
-# a table to house e.g. block candidates in
-table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
-# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
-table <int-block> type lpm
+# a "naughty" step^W table to house blocked candidates in
+# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
+table <naughty> type ipset
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -24,38 +23,56 @@
 # NAT outgoing to the address of the external interface
 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
 # then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
+map $ext_if dynamic $localnet -> $ext_v4
 
 # NAT traffic arriving on port 9022 of the external interface address
 # to host 198.51.100.2 port 22
 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
 
 procedure "log" {
+       # Send log events to npflog0, see npfd(8)
        log: npflog0
 }
 
 group "external" on $ext_if {
-       pass stateful out final all
+       # Allow all outbound traffic
+       pass stateful out all
+
+       # Block inbound traffic from those on the naughty table 
+       block in from <naughty>
 
-       block in final from <block>
-       pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
+       # Placeholder for blacklistd (configuration separate) to add blocked hosts
+       ruleset "blacklistd"
+
+       # Allow inbound SSH and log all connection attempts
+       pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
                apply "log"
-       pass stateful in final proto tcp to $ext_addrs port $services_tcp
-       pass stateful in final proto udp to $ext_addrs port $services_udp
+
+       # Allow inbound traffic for services hosted on TCP
+       pass stateful in proto tcp to $ext_addrs port $services_tcp
 
-       # Passive FTP
-       pass stateful in final proto tcp to $ext_addrs port 49151-65535
-       # Traceroute
-       pass stateful in final proto udp to $ext_addrs port 33434-33600
+       # Allow inbound traffic for services hosted on UDP
+       pass stateful in proto udp to $ext_addrs port $services_udp
+
+       # Allow being tracerouted
+       pass stateful in proto udp to $ext_addrs port 33434-33600
 }
 
 group "internal" on $int_if {
-       block in all
-       pass in final from <int-block>
-       pass out final all
+       # Allow inbound traffic from LAN
+       pass in from $localnet
+
+       # All outbound traffic to LAN
+       pass out all
 }
 
 group default {
-       pass final on lo0 all
-       block all
+       # Default deny, otherwise last matching rule wins
+       block all apply "log"
+
+       # Don't block loopback
+       pass on lo0 all
+
+       # Allow incoming IPv4 pings
+       pass in family inet4 proto icmp icmp-type echo all
 }



Home | Main Index | Thread Index | Old Index