[src/trunk]: src/share/examples/npf Add descriptions for all rules and make u...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/examples/npf Add descriptions for all rules and make u...
From: sevan <sevan%NetBSD.org@localhost>
Date: Sat, 19 Oct 2019 21:09:42 +0000

details:   https://anonhg.NetBSD.org/src/rev/1f42e62517ed
branches:  trunk
changeset: 459697:1f42e62517ed
user:      sevan <sevan%NetBSD.org@localhost>
date:      Sat Sep 21 20:41:52 2019 +0000

description:
Add descriptions for all rules and make use of localnet variable in place of direct IP address

diffstat:

 share/examples/npf/soho_gw-npf.conf |  24 +++++++++++++++++++++---
 1 files changed, 21 insertions(+), 3 deletions(-)

diffs (65 lines):

diff -r 08ebb295da72 -r 1f42e62517ed share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf       Sat Sep 21 20:35:52 2019 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Sat Sep 21 20:41:52 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.14 2019/09/21 20:35:52 sevan Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.15 2019/09/21 20:41:52 sevan Exp $
 #
 # SOHO border
 #
@@ -24,23 +24,32 @@
 # NAT outgoing to the address of the external interface
 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
 # then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
+map $ext_if dynamic $localnet -> $ext_v4
 
 # NAT traffic arriving on port 9022 of the external interface address
 # to host 198.51.100.2 port 22
 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
 
 procedure "log" {
+       # Send log events to npflog0, see npfd(8)
        log: npflog0
 }
 
 group "external" on $ext_if {
+       # Allow all outbound traffic
        pass stateful out all
 
+       # Block inbound traffic from those on the block table 
        block in from <block>
+
+       # Allow SSH on wired interface and log all connection attempts
        pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
                apply "log"
+
+       # Allow inbound traffic for services hosted on TCP
        pass stateful in proto tcp to $ext_addrs port $services_tcp
+
+       # Allow inbound traffic for services hosted on TCP
        pass stateful in proto udp to $ext_addrs port $services_udp
 
        # Passive FTP
@@ -50,11 +59,20 @@
 }
 
 group "internal" on $int_if {
+       # Allow inbound traffic from LAN
        pass in from <int-block>
+
+       # All outbound traffic to LAN
        pass out all
 }
 
 group default {
+       # Default deny, otherwise last matching rule wins
+       block all apply "log"
+
+       # Don't block loopback
        pass on lo0 all
-       block all
+
+       # Allow incoming IPv4 pings
+       pass in family inet4 proto icmp icmp-type echo all
 }

Prev by Date: [src/trunk]: src/share/examples/npf default policy is to blockall
Next by Date: [src/trunk]: src/share/examples/npf improve description
Previous by Thread: [src/trunk]: src/share/examples/npf default policy is to blockall
Next by Thread: [src/trunk]: src/share/examples/npf improve description
Indexes:

Home | Main Index | Thread Index | Old Index