# $NetBSD: host-npf.conf,v 1.8 2014/08/04 22:13:23 szptvlfn Exp $ # # this is an example of NPF rules for a host (i.e., not routing) with # two network interfaces, wired and wifi # # it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6 # it also does IPSEC on the wifi # $wired_if = "wm0" $wired_v4 = { inet4(wm0) } $wired_v6 = { inet6(wm0) } $wifi_if = "iwn0" $wifi_v4 = { inet4(iwn0) } $wifi_v6 = { inet6(iwn0) } $dhcpserver = { 198.51.100.1 } # sample udp service $services_udp = { ntp } # sample mixed service $backupsrv_v4 = { 198.51.100.11 } $backupsrv_v6 = { 2001:0DB8:404::11 } $backup_port = { amanda } # watching a tcpdump of npflog0, when it only logs blocks, # can be very helpful for building the rules you actually need procedure "log" { log: npflog0 } # make a service running on a high port on 127.0.0.1 available on $wired_if # see also the pass rules below map $wired_if dynamic 127.0.0.1 port 8080 <- $wired_v4 port 80 group "wired" on $wired_if { # not being picky about our own address here pass in final family inet6 proto ipv6-icmp all pass out final family inet6 proto ipv6-icmp all pass in final family inet4 proto icmp all pass in final family inet4 proto tcp \ from $dhcpserver port bootps to $wired_v4 port bootpc pass in final family inet4 proto udp \ from $dhcpserver port bootps to $wired_v4 port bootpc pass in final family inet6 proto tcp to $wired_v6 port ssh # the port mapping # Note the filter sees packets before translation pass in final family inet4 proto tcp from any to $wired_v4 port 80 pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any pass in final family inet4 proto tcp flags S/SA \ from $backupsrv_v4 to $wired_v4 port $backup_port pass in final family inet4 proto udp \ from $backupsrv_v4 to $wired_v4 port $backup_port pass in final family inet6 proto tcp flags S/SA \ from $backupsrv_v6 to $wired_v6 port $backup_port pass in final family inet6 proto udp \ from $backupsrv_v6 to $wired_v6 port $backup_port pass stateful in final family inet6 proto udp to $wired_v6 \ port $services_udp pass stateful in final family inet4 proto udp to $wired_v4 \ port $services_udp # only SYN packets need to generate state pass stateful out final family inet6 proto tcp flags S/SA \ from $wired_v6 pass stateful out final family inet4 proto tcp flags S/SA \ from $wired_v4 # pass the other tcp packets without generating extra state pass out final family inet6 proto tcp from $wired_v6 pass out final family inet4 proto tcp from $wired_v4 # all other types of traffic, generate state per packet pass stateful out final family inet6 from $wired_v6 pass stateful out final family inet4 from $wired_v4 } group "wifi" on $wifi_if { # linklocal pass in final family inet6 proto ipv6-icmp to fe80::/10 pass out final family inet6 proto ipv6-icmp from fe80::/10 # administrative multicasts pass in final family inet6 proto ipv6-icmp to ff00::/10 pass out final family inet6 proto ipv6-icmp from ff00::/10 pass in final family inet6 proto ipv6-icmp to $wifi_v6 pass in final family inet4 proto icmp to $wifi_v4 pass in final family inet4 proto tcp \ from any port bootps to $wifi_v4 port bootpc pass in final family inet4 proto udp \ from any port bootps to $wifi_v4 port bootpc pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh pass in final family inet6 proto udp to $wifi_v6 port $services_udp pass in final family inet4 proto udp to $wifi_v4 port $services_udp # IPSEC pass in final family inet6 proto udp to $wifi_v6 port isakmp pass in final family inet4 proto udp to $wifi_v4 port isakmp pass in family inet6 proto esp all pass in family inet4 proto esp all # only SYN packets need to generate state pass stateful out final family inet6 proto tcp flags S/SA \ from $wifi_v6 pass stateful out final family inet4 proto tcp flags S/SA \ from $wifi_v4 # pass the other tcp packets without generating extra state pass out final family inet6 proto tcp from $wifi_v6 pass out final family inet4 proto tcp from $wifi_v4 # all other types of traffic, generate state per packet pass stateful out final family inet6 from $wifi_v6 pass stateful out final family inet4 from $wifi_v4 } group default { pass final on lo0 all block all apply "log" }