Given the almost total lack of example NPF configurations around, the significant source changes happened and features introduced (in regard of the firewall) during the transition towards 9.0, as well as the recent official deprecation of the old and unmaintained PF port (which many users still seemed to resolve to, largely due -I suppose- to the broad availability old user-friendly tutorials for OpenBSD)....I thought I might as well share my
/etc/npf.conf (the same I had shared few months ago on a NPF thread on the SDF.org BBS, some of you might have come across it already
).
So, here it is:
Code:
# Associate a dynamic list of IPs , both IPv4 and IPv6, to the default
interface
$int_if = ifaddrs(usmsc0)
# Enable Just-In-Time compilation of filter pro-
# grams sent to the bpf(4) node
set bpf.jit on;
# Variable $LAN represents thei range of IPs for the local network
$LAN = { 192.168.1.1/24 }
# Static public IPv4 address
$PUB_IP = { x.x.x.x }
# Translate public IP to local network
map $int_if dynamic $LAN <- $PUB_IP
# Introduce container lists for blacklisted IPs
table <blacklist> type ipset file "/etc/npf_blacklist"
table <suspicious> type lpm
#Introduce 2 variables to list opened TCP and UDP ports
$services_tcp = { http, https, smtp, domain, submission }
$services_udp = { domain, ntp, 6000, 51413 }
# Load ICMP application-level gateway
alg "icmp"
# Introduce a pseudo-device for logging events
procedure "log" {
log: npflog0
}
# Introduce a set of 'normalization' options
procedure "norm" {
normalize: "random-id", "min-ttl" 512, "max-mss" 1432, "no-df"
}
group default {
#Pass everything on loop interface
pass final on lo0 all
#Block and release ports on demand to avoid DoS abuse,
#according to blacklistd(8) policies
ruleset "blacklistd-wifi"
#Block blacklisted IPs
block in final from <blacklist>
#Block IPs marked as 'suspicious'
block in final from <suspicious>
#Allow all outgoing traffic
pass stateful out final all
#Only allow selected ICMP types
pass in final proto icmp icmp-type timxceed all
pass in final proto icmp icmp-type unreach all
pass in final proto icmp icmp-type echoreply all
pass in final proto icmp icmp-type sourcequench all
pass in final proto icmp icmp-type paramprob all
# Allow DHCP requests
pass out final proto udp from any port \
bootpc to any port bootps
pass in final proto udp from any port \
bootps to any port bootpc
pass in final proto udp from any port \
bootps to 255.255.255.0 port bootpc
#Allow incoming TCP/UDP packets \
# on selected ports applying "norm" procedure
pass stateful in final proto tcp to $int_if \
port $services_tcp apply "norm"
pass stateful in final proto udp to $int_if \
port $services_udp apply "norm"
# Allow DNS/SSH/FTP/MPD/TigerVNC \
# connections on LAN and log them
pass stateful in final proto tcp from \
$LAN to $int_if port ftp apply "log"
pass stateful in final proto tcp from \
$LAN to $int_if port ssh apply "log"
pass stateful in final proto udp from \
$LAN to $int_if port nameserver apply "log"
pass stateful in final proto tcp from \
$LAN to $int_if port nameserver apply "log"
pass stateful in final proto tcp from \
$LAN to $int_if port 6600 apply "log"
pass stateful in final proto tcp from \
$LAN to $int_if port 5901 apply "log"
# Allow Traceroute
pass stateful in final proto udp to $int_if \
port 33434-33600
# Allow Mosh server
pass stateful in final proto udp from \
$LAN to $int_if port 60001-60099
# FTP PSV on safer ports
pass stateful in final proto tcp to from \
$LAN to $int_if port 65525-65535
# Enable CARP, to avoid spurious failovers.
pass proto carp all
# Reject everything else
block return-rst in final proto tcp all apply "log"
block return-icmp in final proto udp all apply "log"
block return in final all apply "log"
}
In addition, my
/etc/blacklistd.conf:
Code:
# service type proto owner name nfail disable
[local]
ssh stream tcp root -wifi 3 48h
ftp stream tcp root -wifi 3 24h
http stream tcp root -wifi 3 24h
https stream tcp root -wifi 3 24h
domain dgram udp named -wifi 3 12h
smtp stream tcp postfix -wifi 3 24h
submission stream tcp postfix -wifi 3 24h
[remote]
192.168.1.0/24:ftp stream tcp root -wifi 9 =
192.168.1.0/24:ssh stream tcp root -wifi 9 =
It's worth stressing that as opposed to FreeBSD's blacklistd(8) port, which was patched for PF and IPFW, the original NetBSD's daemon only works with NPF as frontend, as it relies on BPF and BPFjit.
As an amateur, I don't expect this configuration to be devoid of mistakes and gross misconceptions, so I'm definitely opened to suggestions and fixes. Rather, it would be lovely, and greatly appreciated, if any of you shared their npf.conf too below
Thanks in advance, and Cheers!
###Reference
-
npf.conf(5)
-
NPF Documentation
-
blacklistd.conf(5)
20th September 2019
My annotated NPF config for workstation usage
Similar Threads
Linear Mode
