Thread: npf firewall
View Single Post
  #1   (View Single Post)  
Old 30th October 2015
gpatrick gpatrick is offline
Spam Deminer
 
Join Date: Nov 2009
Posts: 245
Default npf firewall

If anyone has used npf, can you look at my rules and give any advice? I've tried to translate from ipf to npf for external, internal, and dmz interfaces for http/s and smtp.

Code:
$ext_if = { inet4(re0) }
$int_if = { inet4(axe0) }
$dmz_if = { inet4(upf0) }

table <blacklist> type hash file "/etc/npf_blacklist"
table <limited> type tree dynamic

$services_tcp = { http, https, smtp, domain }
$services_udp = { domain }
$localnet = { 192.168.1.0/24 }

alg "icmp"

map $ext_if dynamic 192.168.1.0/24 -> $ext_if
map $ext_if dynamic 192.168.2.0/24 -> $ext_if

map $ext_if dynamic 192.168.1.122 port 25 <- $ext_if
map $ext_if dynamic 192.168.1.126 port 80 <- $ext_if

map $ext_if dynamic 192.168.1.122 port 25 <- $int_if
map $ext_if dynamic 192.168.1.126 port 80 <- $int_if

map $ext_if dynamic 192.168.1.122 port 25 <- $dmz_if
map $ext_if dynamic 192.168.1.126 port 80 <- $dmz_if

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
 	block out final to 192.168.0.0/16
	block out final to 172.16.0.0/12
	block out final to 127.0.0.0/8
	block out final to 10.0.0.0/8
	block out final to 0.0.0.0/8
	block out final to 169.254.0.0/16
	block out final to 192.0.2.0/24
	block out final to 204.152.64.0/23 
	block out final to 224.0.0.0/3
	pass stateful out final proto tcp from 192.168.1.0/24 
	pass stateful out final proto udp from 192.168.1.0/24
	pass stateful out final proto tcp from 192.168.2.0/24
	pass stateful out final proto udp from 192.168.2.0/24
	block out final all
	block in final from 192.168.0.0/16
	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 192.0.2.0/24 
	block in final from 224.0.0.0/3 
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in proto tcp to 5.5.5.5/32 port 80 
	pass stateful in proto udp to 5.5.5.5/32 port 80 
	pass stateful in proto tcp to 192.168.2.126 port 80
	pass stateful in proto udp to 192.168.2.126 port 80
	pass stateful in proto tcp to 5.5.5.5/32 port 25
	pass stateful in proto udp to 5.5.5.5/32 port 25
	pass stateful in proto tcp to 192.168.2.122/32 port 25
	pass stateful in proto udp to 192.168.2.122/32 port 25
	block in final all
}

group "internal" on $int_if {
	block out final all
 	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 192.0.2.0/24 
	block in final from 204.152.64.0/23 
	block in final from 224.0.0.0/3 
	block in final from 5.5.5.5/32 	
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in final proto tcp from 192.168.1.0/24 
	pass stateful in final proto udp from 192.168.1.0/24 
	block in final all
}

group "dmz" on $dmz_if {
	pass stateful out final proto tcp from 192.168.1.0/24 to 192.168.2.0/24
	pass stateful out final proto udp from 192.168.1.0/24 to 192.168.2.0/24
	block out final to 192.168.0.0/16
	block out final to 172.16.0.0/12
	block out final to 127.0.0.0/8
	block out final to 10.0.0.0/8 
	block out final to 0.0.0.0/8
	block out final to 169.254.0.0/16
	block out final to 192.0.2.0/24
	block out final to 204.152.64.0/23
	block out final to 224.0.0.0/3
	pass stateful out final proto tcp to 192.168.2.126 port 80
	pass stateful out final proto udp to 192.168.2.126 port 80
	pass stateful out final proto tcp to 192.168.2.122 port 25
	pass stateful out final proto udp to 192.168.2.122 port 25
	block out final all
	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 204.152.64.0/23 
	block in final from 224.0.0.0/3 
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in final proto tcp from 192.168.2.0/24 
	pass stateful in final proto udp from 192.168.2.0/24 
	block in final all
}

group default {
  	pass final on lo0 all 
	block all
}
Reply With Quote