1# $NetBSD: host-npf.conf,v 1.2.4.3 2012/12/11 04:31:53 riz Exp $ 2# 3# this is an example of NPF rules for a host (i.e., not routing) with 4# two network interfaces, wired and wifi 5# 6# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 7# it also does IPSEC on the wifi 8# 9 10$wired_if = "wm0" 11$wired_v4 = { inet4(wm0) } 12$wired_v6 = { inet6(wm0) } 13 14$wifi_if = "iwn0" 15$wifi_v4 = { inet4(iwn0) } 16$wifi_v6 = { inet6(iwn0) } 17 18$dhcpserver = { 198.51.100.1 } 19 20# sample udp service 21$services_udp = { ntp } 22 23# sample mixed service 24$backupsrv_v4 = { 198.51.100.11 } 25$backupsrv_v6 = { 2001:0DB8:404::11 } 26$backup_port = { amanda } 27 28# watching a tcpdump of npflog0, when it only logs blocks, 29# can be very helpful for building the rules you actually need 30procedure "log" { 31 log: npflog0 32} 33 34group (name "wired", interface $wired_if) { 35 36 # not being picky about our own address here 37 pass in final family inet6 proto ipv6-icmp all 38 pass out final family inet6 proto ipv6-icmp all 39 pass in final family inet proto icmp all 40 41 pass in final family inet proto tcp \ 42 from $dhcpserver port bootps to $wired_v4 port bootpc 43 pass in final family inet proto udp \ 44 from $dhcpserver port bootps to $wired_v4 port bootpc 45 46 pass in final family inet6 proto tcp to $wired_v6 port ssh 47 48 pass in final family inet proto tcp flags S/SA \ 49 from $backupsrv_v4 to $wired_v4 port $backup_port 50 pass in final family inet proto udp \ 51 from $backupsrv_v4 to $wired_v4 port $backup_port 52 pass in final family inet6 proto tcp flags S/SA \ 53 from $backupsrv_v6 to $wired_v6 port $backup_port 54 pass in final family inet6 proto udp \ 55 from $backupsrv_v6 to $wired_v6 port $backup_port 56 57 pass stateful in final family inet6 proto udp to $wired_v6 \ 58 port $services_udp 59 pass stateful in final family inet proto udp to $wired_v6 \ 60 port $services_udp 61 62 # only SYN packets need to generate state 63 pass stateful out final family inet6 proto tcp flags S/SA \ 64 from $wired_v6 65 pass stateful out final family inet proto tcp flags S/SA \ 66 from $wired_v4 67 # pass the other tcp packets without generating extra state 68 pass out final family inet6 proto tcp from $wired_v6 69 pass out final family inet proto tcp from $wired_v4 70 71 # all other types of traffic, generate state per packet 72 pass stateful out final family inet6 from $wired_v6 73 pass stateful out final family inet from $wired_v4 74 75} 76 77group (name "wifi", interface $wifi_if) { 78 # linklocal 79 pass in final family inet6 proto ipv6-icmp to fe80::/10 80 pass out final family inet6 proto ipv6-icmp from fe80::/10 81 82 # administrative multicasts 83 pass in final family inet6 proto ipv6-icmp to ff00::/10 84 pass out final family inet6 proto ipv6-icmp from ff00::/10 85 86 pass in final family inet6 proto ipv6-icmp to $wifi_v6 87 pass in final family inet proto icmp to $wifi_v6 88 89 pass in final family inet proto tcp \ 90 from any port bootps to $wifi_v4 port bootpc 91 pass in final family inet proto udp \ 92 from any port bootps to $wifi_v4 port bootpc 93 94 pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 95 96 pass in final family inet6 proto udp to $wifi_v6 port $services_udp 97 pass in final family inet proto udp to $wifi_v4 port $services_udp 98 99 # IPSEC 100 pass in final family inet6 proto udp to $wifi_v6 port isakmp 101 pass in final family inet proto udp to $wifi_v4 port isakmp 102 pass in family inet6 proto esp all 103 pass in family inet proto esp all 104 105 # only SYN packets need to generate state 106 pass stateful out final family inet6 proto tcp flags S/SA \ 107 from $wifi_v6 108 pass stateful out final family inet proto tcp flags S/SA \ 109 from $wifi_v4 110 # pass the other tcp packets without generating extra state 111 pass out final family inet6 proto tcp from $wifi_v6 112 pass out final family inet proto tcp from $wifi_v4 113 114 # all other types of traffic, generate state per packet 115 pass stateful out final family inet6 from $wifi_v6 116 pass stateful out final family inet from $wifi_v4 117} 118 119group (default) { 120 pass final on lo0 all 121 block all apply "log" 122} 123