DaemonForums  

Go Back   DaemonForums > NetBSD > NetBSD Security

NetBSD Security Securing NetBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th October 2015
gpatrick gpatrick is offline
Package Pilot
 
Join Date: Nov 2009
Posts: 192
Default npf firewall

If anyone has used npf, can you look at my rules and give any advice? I've tried to translate from ipf to npf for external, internal, and dmz interfaces for http/s and smtp.

Code:
$ext_if = { inet4(re0) }
$int_if = { inet4(axe0) }
$dmz_if = { inet4(upf0) }

table <blacklist> type hash file "/etc/npf_blacklist"
table <limited> type tree dynamic

$services_tcp = { http, https, smtp, domain }
$services_udp = { domain }
$localnet = { 192.168.1.0/24 }

alg "icmp"

map $ext_if dynamic 192.168.1.0/24 -> $ext_if
map $ext_if dynamic 192.168.2.0/24 -> $ext_if

map $ext_if dynamic 192.168.1.122 port 25 <- $ext_if
map $ext_if dynamic 192.168.1.126 port 80 <- $ext_if

map $ext_if dynamic 192.168.1.122 port 25 <- $int_if
map $ext_if dynamic 192.168.1.126 port 80 <- $int_if

map $ext_if dynamic 192.168.1.122 port 25 <- $dmz_if
map $ext_if dynamic 192.168.1.126 port 80 <- $dmz_if

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
 	block out final to 192.168.0.0/16
	block out final to 172.16.0.0/12
	block out final to 127.0.0.0/8
	block out final to 10.0.0.0/8
	block out final to 0.0.0.0/8
	block out final to 169.254.0.0/16
	block out final to 192.0.2.0/24
	block out final to 204.152.64.0/23 
	block out final to 224.0.0.0/3
	pass stateful out final proto tcp from 192.168.1.0/24 
	pass stateful out final proto udp from 192.168.1.0/24
	pass stateful out final proto tcp from 192.168.2.0/24
	pass stateful out final proto udp from 192.168.2.0/24
	block out final all
	block in final from 192.168.0.0/16
	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 192.0.2.0/24 
	block in final from 224.0.0.0/3 
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in proto tcp to 5.5.5.5/32 port 80 
	pass stateful in proto udp to 5.5.5.5/32 port 80 
	pass stateful in proto tcp to 192.168.2.126 port 80
	pass stateful in proto udp to 192.168.2.126 port 80
	pass stateful in proto tcp to 5.5.5.5/32 port 25
	pass stateful in proto udp to 5.5.5.5/32 port 25
	pass stateful in proto tcp to 192.168.2.122/32 port 25
	pass stateful in proto udp to 192.168.2.122/32 port 25
	block in final all
}

group "internal" on $int_if {
	block out final all
 	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 192.0.2.0/24 
	block in final from 204.152.64.0/23 
	block in final from 224.0.0.0/3 
	block in final from 5.5.5.5/32 	
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in final proto tcp from 192.168.1.0/24 
	pass stateful in final proto udp from 192.168.1.0/24 
	block in final all
}

group "dmz" on $dmz_if {
	pass stateful out final proto tcp from 192.168.1.0/24 to 192.168.2.0/24
	pass stateful out final proto udp from 192.168.1.0/24 to 192.168.2.0/24
	block out final to 192.168.0.0/16
	block out final to 172.16.0.0/12
	block out final to 127.0.0.0/8
	block out final to 10.0.0.0/8 
	block out final to 0.0.0.0/8
	block out final to 169.254.0.0/16
	block out final to 192.0.2.0/24
	block out final to 204.152.64.0/23
	block out final to 224.0.0.0/3
	pass stateful out final proto tcp to 192.168.2.126 port 80
	pass stateful out final proto udp to 192.168.2.126 port 80
	pass stateful out final proto tcp to 192.168.2.122 port 25
	pass stateful out final proto udp to 192.168.2.122 port 25
	block out final all
	block in final from 172.16.0.0/12 
	block in final from 10.0.0.0/8 
	block in final from 127.0.0.0/8 
	block in final from 0.0.0.0/8 
	block in final from 169.254.0.0/16 
	block in final from 204.152.64.0/23 
	block in final from 224.0.0.0/3 
	block in final to 5.5.5.0/32
	block in final to 5.5.5.255/32
	pass stateful in final proto tcp from 192.168.2.0/24 
	pass stateful in final proto udp from 192.168.2.0/24 
	block in final all
}

group default {
  	pass final on lo0 all 
	block all
}
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Needs for a firewall milo974 OpenBSD Security 1 31st December 2009 03:00 PM
PF firewall bsdnewbie999 OpenBSD General 3 28th April 2009 12:35 PM
firewall for 2 adsl milo974 OpenBSD General 2 13th October 2008 05:03 PM
Windows Firewall JMJ_coder Other OS 8 20th July 2008 08:22 PM
Web GUI for firewall ? giga FreeBSD General 6 8th May 2008 05:10 AM


All times are GMT. The time now is 10:24 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick