Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/share/examples/npf Add descriptions for all rules and make u...
details: https://anonhg.NetBSD.org/src/rev/17fe0e672e10
branches: trunk
changeset: 1003589:17fe0e672e10
user: sevan <sevan%NetBSD.org@localhost>
date: Sat Sep 21 20:41:52 2019 +0000
description:
Add descriptions for all rules and make use of localnet variable in place of direct IP address
diffstat:
share/examples/npf/soho_gw-npf.conf | 24 +++++++++++++++++++++---
1 files changed, 21 insertions(+), 3 deletions(-)
diffs (65 lines):
diff -r cefeefc89a00 -r 17fe0e672e10 share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf Sat Sep 21 20:35:52 2019 +0000
+++ b/share/examples/npf/soho_gw-npf.conf Sat Sep 21 20:41:52 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.14 2019/09/21 20:35:52 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.15 2019/09/21 20:41:52 sevan Exp $
#
# SOHO border
#
@@ -24,23 +24,32 @@
# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
+map $ext_if dynamic $localnet -> $ext_v4
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
procedure "log" {
+ # Send log events to npflog0, see npfd(8)
log: npflog0
}
group "external" on $ext_if {
+ # Allow all outbound traffic
pass stateful out all
+ # Block inbound traffic from those on the block table
block in from <block>
+
+ # Allow SSH on wired interface and log all connection attempts
pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
apply "log"
+
+ # Allow inbound traffic for services hosted on TCP
pass stateful in proto tcp to $ext_addrs port $services_tcp
+
+ # Allow inbound traffic for services hosted on TCP
pass stateful in proto udp to $ext_addrs port $services_udp
# Passive FTP
@@ -50,11 +59,20 @@
}
group "internal" on $int_if {
+ # Allow inbound traffic from LAN
pass in from <int-block>
+
+ # All outbound traffic to LAN
pass out all
}
group default {
+ # Default deny, otherwise last matching rule wins
+ block all apply "log"
+
+ # Don't block loopback
pass on lo0 all
- block all
+
+ # Allow incoming IPv4 pings
+ pass in family inet4 proto icmp icmp-type echo all
}
Home |
Main Index |
Thread Index |
Old Index