Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/share/examples/npf Provide a simpler config for a host which...



details:   https://anonhg.NetBSD.org/src/rev/0270cc6d4eab
branches:  trunk
changeset: 450483:0270cc6d4eab
user:      sevan <sevan%NetBSD.org@localhost>
date:      Mon Apr 15 22:38:48 2019 +0000

description:
Provide a simpler config for a host which permits any traffic from the host out,
and small subset of traffic in (DHCP (v4 and v6), All ICMPv6, ICMP echo
requests, traceroute, mDNS).

diffstat:

 share/examples/npf/host-npf.conf |  155 +++++++++++---------------------------
 1 files changed, 45 insertions(+), 110 deletions(-)

diffs (180 lines):

diff -r cfe6902de54a -r 0270cc6d4eab share/examples/npf/host-npf.conf
--- a/share/examples/npf/host-npf.conf  Mon Apr 15 22:37:13 2019 +0000
+++ b/share/examples/npf/host-npf.conf  Mon Apr 15 22:38:48 2019 +0000
@@ -1,131 +1,66 @@
-# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $
+# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $
+#
+# Simple ruleset for a host with (i.e., not routing) two interfaces,
+# ethernet and wifi.
 #
-# this is an example of NPF rules for a host (i.e., not routing) with
-# two network interfaces, wired and wifi
+# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic
+# are permitted, inbound, on either interface.
 #
-# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
-# it also does IPSEC on the wifi
+# SSH to the host is allowed in via the ethernet interface.
+# blacklistd(8) is used to prevent SSH bruteforce attempts.
+#
+# No specific rules for the wifi interface.
+#
+# All traffic from the host is permitted, outbound, on either interface.
 #
 
 $wired_if = "wm0"
-$wired_v4 = { inet4(wm0) }
-$wired_v6 = { inet6(wm0) }
-
-$wifi_if = "iwn0"
-$wifi_v4 = { inet4(iwn0) }
-$wifi_v6 = { inet6(iwn0) }
-
-$dhcpserver = { 198.51.100.1 }
-
-# sample udp service
-$services_udp = { ntp }
+$wifi_if  = "iwn0"
+$wired_addrs= ifaddrs(wm0)
+$wifi_addrs = ifaddrs(iwn0)
 
-# sample mixed service
-$backupsrv_v4 = { 198.51.100.11 }
-$backupsrv_v6 = { 2001:0DB8:404::11 }
-$backup_port = { amanda }
+alg "icmp"
 
-# watching a tcpdump of npflog0, when it only logs blocks,
-# can be very helpful for building the rules you actually need
 procedure "log" {
-     log: npflog0
+       log: npflog0
 }
 
-# make a service running on a high port on 127.0.0.1 available on $wired_if
-# see also the pass rules below
-map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80
-
 group "wired" on $wired_if {
-
-       # not being picky about our own address here
-       pass in  final family inet6 proto ipv6-icmp all
-       pass out final family inet6 proto ipv6-icmp all
-       pass in  final family inet4 proto icmp      all
-
-       pass in  final family inet4 proto tcp \
-               from $dhcpserver port bootps to $wired_v4 port bootpc
-       pass in  final family inet4 proto udp \
-               from $dhcpserver port bootps to $wired_v4 port bootpc
-
-       pass in final family inet6 proto tcp to $wired_v6 port ssh
-
-       # the port mapping
-       # Note the filter sees packets before translation
-       pass in  final family inet4 proto tcp from any to $wired_v4 port 80
-       pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any
+# Placeholder for blacklistd (configuration separate) to add blocked hosts
+ruleset "blacklistd"
 
-       pass in final family inet4 proto tcp flags S/SA \
-               from $backupsrv_v4 to $wired_v4 port $backup_port 
-       pass in final family inet4 proto udp \
-               from $backupsrv_v4 to $wired_v4 port $backup_port
-       pass in final family inet6 proto tcp flags S/SA \
-               from $backupsrv_v6 to $wired_v6 port $backup_port 
-       pass in final family inet6 proto udp \
-               from $backupsrv_v6 to $wired_v6 port $backup_port
-
-       pass stateful in final family inet6 proto udp to $wired_v6 \
-               port $services_udp
-       pass stateful in final family inet4 proto udp to $wired_v4 \
-               port $services_udp
-
-       # only SYN packets need to generate state
-       pass stateful out final family inet6 proto tcp flags S/SA \
-               from $wired_v6
-       pass stateful out final family inet4 proto tcp flags S/SA \
-               from $wired_v4
-       # pass the other tcp packets without generating extra state
-       pass out final family inet6 proto tcp from $wired_v6
-       pass out final family inet4 proto tcp from $wired_v4
-
-       # all other types of traffic, generate state per packet
-       pass stateful out final family inet6 from $wired_v6
-       pass stateful out final family inet4 from $wired_v4
+# Allow SSH on wired interface
+pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
 
 }
 
 group "wifi" on $wifi_if {
-       # linklocal
-       pass in  final family inet6 proto ipv6-icmp  to fe80::/10
-       pass out final family inet6 proto ipv6-icmp from fe80::/10
 
-       # administrative multicasts
-       pass in  final family inet6 proto ipv6-icmp  to ff00::/10
-       pass out final family inet6 proto ipv6-icmp from ff00::/10
-
-       pass in  final family inet6 proto ipv6-icmp to $wifi_v6
-       pass in  final family inet4 proto icmp      to $wifi_v4
-
-       pass in  final family inet4 proto tcp \
-               from any port bootps to $wifi_v4 port bootpc
-       pass in  final family inet4 proto udp \
-               from any port bootps to $wifi_v4 port bootpc
-
-        pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 
-
-        pass in final family inet6 proto udp to $wifi_v6 port $services_udp
-        pass in final family inet4 proto udp to $wifi_v4 port $services_udp
-
-       # IPSEC
-       pass in final family inet6 proto udp to $wifi_v6 port isakmp
-       pass in final family inet4 proto udp to $wifi_v4 port isakmp
-       pass in family inet6 proto esp all
-       pass in family inet4 proto esp all
-
-       # only SYN packets need to generate state
-        pass stateful out final family inet6 proto tcp flags S/SA \
-               from $wifi_v6
-        pass stateful out final family inet4 proto tcp flags S/SA \
-               from $wifi_v4
-       # pass the other tcp packets without generating extra state
-        pass out final family inet6 proto tcp from $wifi_v6
-        pass out final family inet4 proto tcp from $wifi_v4
-
-       # all other types of traffic, generate state per packet
-        pass stateful out final family inet6 from $wifi_v6
-        pass stateful out final family inet4 from $wifi_v4
 }
 
 group default {
-       pass final on lo0 all
-       block all apply "log"
+# Default deny, otherwise last matching rule wins
+block all apply "log"
+
+# Don't block loopback
+pass on lo0 all
+
+# Allow incoming DHCP server responses
+pass in family inet4 proto udp from any port bootps to any port bootpc
+pass in family inet6 proto udp from any to any port "dhcpv6-client"
+
+# Allow IPv6 ICMP
+pass family inet6 proto ipv6-icmp all
+
+# Allow incoming IPv4 pings
+pass in family inet4 proto icmp icmp-type echo all
+
+# Allow being tracerouted
+pass in proto udp to any port 33434-33600
+
+# Allow incoming mDNS traffic from neighbours
+pass in proto udp to any port mdns
+
+# Allow all outbound traffic
+pass stateful out all
 }



Home | Main Index | Thread Index | Old Index