$ext_if = inet4(xennet0)
$local_if = inet4(xennet1)
$int_if = inet4(xennet2)
set bpf.jit off
table <blacklist> type hash file "/etc/npf_blacklist"
table <fail2ban> type tree dynamic
table <limited> type tree dynamic
$services_tcp = { http, https }
$services_udp = { domain, ntp }
alg "icmp"
map $ext_if dynamic 127.0.0.1 port 80 <- $ext_if port 80
map $ext_if dynamic 127.0.0.1 port 443 <- $ext_if port 443
procedure "log" {
# Note: npf_ext_log kernel module should be loaded, if not built-in.
# Also, the interface created, e.g.: ifconfig npflog0 create
log: npflog0
}
group "external" on $ext_if {
pass stateful out final all
block in final from <blacklist>
block in final from <fail2ban>
pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
pass stateful in final proto tcp to $ext_if port $services_tcp
pass stateful in final proto udp to $ext_if port $services_udp
}
group "local" on $local_if {
block in all
block in final from <limited>
pass stateful in final family inet4 proto tcp to $local_if port ssh apply "log"
pass in final from $localnet
pass out final all
}
group "internal" on $int_if {
block in all
block in final from <limited>
# Ingress filtering as per BCP 38 / RFC 2827.
pass in final from $vlannet
pass out final all
}
group default {
pass final on lo0 all
block all apply "log"
}