DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD General

NetBSD General Other questions regarding NetBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th February 2013
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 115
Thanked 0 Times in 0 Posts
Default npf

I've read the man page and the soho-gw example but am unsure of my configuration for npf. There isn't much out there, but I'm intrigued with the design. If somebody has experience or more knowledge with npf would you comment of my npf.conf and make suggestions for improvement?

I will have three interfaces, external, dmz for web and email, and an internal lan.

Code:
# Macros
$ext_if = "bge0"
$int_if = "bge1"
$dmz_if = "bge2"
$ext_v4 = inet4(bge0)
$ext_addrs = { ifnet(bge0) }
$services_tcp = { http, https, smtp, domain }
$services_udp = { domain }
 
# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = {192.168.1.10, 192.168.1.15, 192.168.1.20 192.168.1.21 192.168.1.22}
# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = {192.168.2.21/32, 192.168.2.22/32, 192.168.2.23/32, 192.168.2.26/32, 192.168.2.27/32, 192.168.2.28/32}
# dmz_www -- the address of the WWW server in the DMZ
dmz_www = { 192.168.2.21/32 }
# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = { 192.168.2.22/32 }
# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = { 192.168.2.23/32 }
 
# Tables
table <1> type tree file "/etc/blockedipsbycountry"
table <2> type tree file "/etc/rfc1918"
 
map $ext_if dynamic 192.168.1.0/24 -> $ext_v4
map $ext_if dynamic 192.168.2.0/24 -> $ext_v4
map $ext_if dynamic $dmz_www port 80 <- $ext_v4 port 80
map $ext_if dynamic $dmz_smtp port 25 <- $ext_v4 port 25
map $ext_if dynamic $dmz_dns port 53 <- $ext_v4 port 53
 
procedure "log" {
 log: npflog0
 normalise: "random-id", "min-ttl" 64
}
 
procedure "rid" {
     normalise: ( "random-id", "min-ttl 64", "max-mss 1440", "no-df" )
}
 
group (name "external", interface $ext_if) {
        pass stateful out final all
 block in quick from <1>
        block in quick from <2>
 block out quick from <2>
 block return-rst out on $ext_if proto tcp all
 block return-rst  in on $ext_if proto tcp all
 block return-icmp out on $ext_if proto udp all
 block return-icmp  in on $ext_if proto udp all
 pass stateful in final proto tcp to $ext_addrs port $services_tcp
 pass stateful in final proto udp to $ext_addrs port $services_udp
}
 
group (name "internal", interface $int_if) {
 block in all
 pass out final all
}
 
group (name "dmz", interface $dmz_if) {
 block in all
 pass stateful out final all
 pass stateful in final proto tcp from $ext_addr port $services_tcp
 pass stateful in final proto tcp from $int_if port $services_tcp
}
 
group (default) {
 pass final on lo0 all
 block all apply "log"
}
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick