[src/trunk]: src/share/examples/npf Rename the block table to something else ...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/examples/npf Rename the block table to something else ...
From: sevan <sevan%NetBSD.org@localhost>
Date: Tue, 19 Nov 2019 01:19:44 +0000

details:   https://anonhg.NetBSD.org/src/rev/b03baf8ffd0c
branches:  trunk
changeset: 461207:b03baf8ffd0c
user:      sevan <sevan%NetBSD.org@localhost>
date:      Mon Nov 18 22:27:27 2019 +0000

description:
Rename the block table to something else to make it easier to differentiate
between action and name. Use this table as the example for populating by npfctl.

Drop the int-block table, it's quite cumbersome to have a firewall which
needs the internal network lists added if reboot. Use the localnet variable to
indicated which network we should pass in traffic from instead.

diffstat:

 share/examples/npf/soho_gw-npf.conf |  15 +++++++--------
 1 files changed, 7 insertions(+), 8 deletions(-)

diffs (43 lines):

diff -r fd395419847d -r b03baf8ffd0c share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf       Mon Nov 18 22:26:14 2019 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Mon Nov 18 22:27:27 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.19 2019/09/22 19:51:18 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.20 2019/11/18 22:27:27 sevan Exp $
 #
 # SOHO border
 #
@@ -12,10 +12,9 @@
 
 $int_if = "wm1"
 
-# a table to house e.g. block candidates in
-table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
-# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
-table <int-block> type lpm
+# a "naughty" step^W table to house blocked candidates in
+# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
+table <naughty> type ipset
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -39,8 +38,8 @@
        # Allow all outbound traffic
        pass stateful out all
 
-       # Block inbound traffic from those on the block table 
-       block in from <block>
+       # Block inbound traffic from those on the naughty table 
+       block in from <naughty>
 
        # Placeholder for blacklistd (configuration separate) to add blocked hosts
        ruleset "blacklistd"
@@ -61,7 +60,7 @@
 
 group "internal" on $int_if {
        # Allow inbound traffic from LAN
-       pass in from <int-block>
+       pass in from $localnet
 
        # All outbound traffic to LAN
        pass out all

Prev by Date: [src/trunk]: src/external Build some more LLVM components for Gallium. Switch...
Next by Date: [src/trunk]: src/share/man/man7 Sync with FreeBSD which capitalizes the contr...
Previous by Thread: [src/trunk]: src/external Build some more LLVM components for Gallium. Switch...
Next by Thread: [src/trunk]: src/share/man/man7 Sync with FreeBSD which capitalizes the contr...
Indexes:

Home | Main Index | Thread Index | Old Index