If anyone has used npf, can you look at my rules and give any advice? I've tried to translate from ipf to npf for external, internal, and dmz interfaces for http/s and smtp.
Code:
$ext_if = { inet4(re0) }
$int_if = { inet4(axe0) }
$dmz_if = { inet4(upf0) }
table <blacklist> type hash file "/etc/npf_blacklist"
table <limited> type tree dynamic
$services_tcp = { http, https, smtp, domain }
$services_udp = { domain }
$localnet = { 192.168.1.0/24 }
alg "icmp"
map $ext_if dynamic 192.168.1.0/24 -> $ext_if
map $ext_if dynamic 192.168.2.0/24 -> $ext_if
map $ext_if dynamic 192.168.1.122 port 25 <- $ext_if
map $ext_if dynamic 192.168.1.126 port 80 <- $ext_if
map $ext_if dynamic 192.168.1.122 port 25 <- $int_if
map $ext_if dynamic 192.168.1.126 port 80 <- $int_if
map $ext_if dynamic 192.168.1.122 port 25 <- $dmz_if
map $ext_if dynamic 192.168.1.126 port 80 <- $dmz_if
procedure "log" {
log: npflog0
}
group "external" on $ext_if {
block out final to 192.168.0.0/16
block out final to 172.16.0.0/12
block out final to 127.0.0.0/8
block out final to 10.0.0.0/8
block out final to 0.0.0.0/8
block out final to 169.254.0.0/16
block out final to 192.0.2.0/24
block out final to 204.152.64.0/23
block out final to 224.0.0.0/3
pass stateful out final proto tcp from 192.168.1.0/24
pass stateful out final proto udp from 192.168.1.0/24
pass stateful out final proto tcp from 192.168.2.0/24
pass stateful out final proto udp from 192.168.2.0/24
block out final all
block in final from 192.168.0.0/16
block in final from 172.16.0.0/12
block in final from 10.0.0.0/8
block in final from 127.0.0.0/8
block in final from 0.0.0.0/8
block in final from 169.254.0.0/16
block in final from 192.0.2.0/24
block in final from 224.0.0.0/3
block in final to 5.5.5.0/32
block in final to 5.5.5.255/32
pass stateful in proto tcp to 5.5.5.5/32 port 80
pass stateful in proto udp to 5.5.5.5/32 port 80
pass stateful in proto tcp to 192.168.2.126 port 80
pass stateful in proto udp to 192.168.2.126 port 80
pass stateful in proto tcp to 5.5.5.5/32 port 25
pass stateful in proto udp to 5.5.5.5/32 port 25
pass stateful in proto tcp to 192.168.2.122/32 port 25
pass stateful in proto udp to 192.168.2.122/32 port 25
block in final all
}
group "internal" on $int_if {
block out final all
block in final from 172.16.0.0/12
block in final from 10.0.0.0/8
block in final from 127.0.0.0/8
block in final from 0.0.0.0/8
block in final from 169.254.0.0/16
block in final from 192.0.2.0/24
block in final from 204.152.64.0/23
block in final from 224.0.0.0/3
block in final from 5.5.5.5/32
block in final to 5.5.5.0/32
block in final to 5.5.5.255/32
pass stateful in final proto tcp from 192.168.1.0/24
pass stateful in final proto udp from 192.168.1.0/24
block in final all
}
group "dmz" on $dmz_if {
pass stateful out final proto tcp from 192.168.1.0/24 to 192.168.2.0/24
pass stateful out final proto udp from 192.168.1.0/24 to 192.168.2.0/24
block out final to 192.168.0.0/16
block out final to 172.16.0.0/12
block out final to 127.0.0.0/8
block out final to 10.0.0.0/8
block out final to 0.0.0.0/8
block out final to 169.254.0.0/16
block out final to 192.0.2.0/24
block out final to 204.152.64.0/23
block out final to 224.0.0.0/3
pass stateful out final proto tcp to 192.168.2.126 port 80
pass stateful out final proto udp to 192.168.2.126 port 80
pass stateful out final proto tcp to 192.168.2.122 port 25
pass stateful out final proto udp to 192.168.2.122 port 25
block out final all
block in final from 172.16.0.0/12
block in final from 10.0.0.0/8
block in final from 127.0.0.0/8
block in final from 0.0.0.0/8
block in final from 169.254.0.0/16
block in final from 204.152.64.0/23
block in final from 224.0.0.0/3
block in final to 5.5.5.0/32
block in final to 5.5.5.255/32
pass stateful in final proto tcp from 192.168.2.0/24
pass stateful in final proto udp from 192.168.2.0/24
block in final all
}
group default {
pass final on lo0 all
block all
}