|
NetBSD Security Securing NetBSD. |
|
Thread Tools | Display Modes |
|
||||
My annotated NPF config for workstation usage
Given the almost total lack of example NPF configurations around, the significant source changes happened and features introduced (in regard of the firewall) during the transition towards 9.0, as well as the recent official deprecation of the old and unmaintained PF port (which many users still seemed to resolve to, largely due -I suppose- to the broad availability old user-friendly tutorials for OpenBSD)....I thought I might as well share my /etc/npf.conf (the same I had shared few months ago on a NPF thread on the SDF.org BBS, some of you might have come across it already ).
So, here it is: Code:
# Associate a dynamic list of IPs , both IPv4 and IPv6, to the default interface $int_if = ifaddrs(usmsc0) # Enable Just-In-Time compilation of filter pro- # grams sent to the bpf(4) node set bpf.jit on; # Variable $LAN represents thei range of IPs for the local network $LAN = { 192.168.1.1/24 } # Static public IPv4 address $PUB_IP = { x.x.x.x } # Translate public IP to local network map $int_if dynamic $LAN <- $PUB_IP # Introduce container lists for blacklisted IPs table <blacklist> type ipset file "/etc/npf_blacklist" table <suspicious> type lpm #Introduce 2 variables to list opened TCP and UDP ports $services_tcp = { http, https, smtp, domain, submission } $services_udp = { domain, ntp, 6000, 51413 } # Load ICMP application-level gateway alg "icmp" # Introduce a pseudo-device for logging events procedure "log" { log: npflog0 } # Introduce a set of 'normalization' options procedure "norm" { normalize: "random-id", "min-ttl" 512, "max-mss" 1432, "no-df" } group default { #Pass everything on loop interface pass final on lo0 all #Block and release ports on demand to avoid DoS abuse, #according to blacklistd(8) policies ruleset "blacklistd-wifi" #Block blacklisted IPs block in final from <blacklist> #Block IPs marked as 'suspicious' block in final from <suspicious> #Allow all outgoing traffic pass stateful out final all #Only allow selected ICMP types pass in final proto icmp icmp-type timxceed all pass in final proto icmp icmp-type unreach all pass in final proto icmp icmp-type echoreply all pass in final proto icmp icmp-type sourcequench all pass in final proto icmp icmp-type paramprob all # Allow DHCP requests pass out final proto udp from any port \ bootpc to any port bootps pass in final proto udp from any port \ bootps to any port bootpc pass in final proto udp from any port \ bootps to 255.255.255.0 port bootpc #Allow incoming TCP/UDP packets \ # on selected ports applying "norm" procedure pass stateful in final proto tcp to $int_if \ port $services_tcp apply "norm" pass stateful in final proto udp to $int_if \ port $services_udp apply "norm" # Allow DNS/SSH/FTP/MPD/TigerVNC \ # connections on LAN and log them pass stateful in final proto tcp from \ $LAN to $int_if port ftp apply "log" pass stateful in final proto tcp from \ $LAN to $int_if port ssh apply "log" pass stateful in final proto udp from \ $LAN to $int_if port nameserver apply "log" pass stateful in final proto tcp from \ $LAN to $int_if port nameserver apply "log" pass stateful in final proto tcp from \ $LAN to $int_if port 6600 apply "log" pass stateful in final proto tcp from \ $LAN to $int_if port 5901 apply "log" # Allow Traceroute pass stateful in final proto udp to $int_if \ port 33434-33600 # Allow Mosh server pass stateful in final proto udp from \ $LAN to $int_if port 60001-60099 # FTP PSV on safer ports pass stateful in final proto tcp to from \ $LAN to $int_if port 65525-65535 # Enable CARP, to avoid spurious failovers. pass proto carp all # Reject everything else block return-rst in final proto tcp all apply "log" block return-icmp in final proto udp all apply "log" block return in final all apply "log" } Code:
# service type proto owner name nfail disable [local] ssh stream tcp root -wifi 3 48h ftp stream tcp root -wifi 3 24h http stream tcp root -wifi 3 24h https stream tcp root -wifi 3 24h domain dgram udp named -wifi 3 12h smtp stream tcp postfix -wifi 3 24h submission stream tcp postfix -wifi 3 24h [remote] 192.168.1.0/24:ftp stream tcp root -wifi 9 = 192.168.1.0/24:ssh stream tcp root -wifi 9 = As an amateur, I don't expect this configuration to be devoid of mistakes and gross misconceptions, so I'm definitely opened to suggestions and fixes. Rather, it would be lovely, and greatly appreciated, if any of you shared their npf.conf too below Thanks in advance, and Cheers! ###Reference - npf.conf(5) - NPF Documentation - blacklistd.conf(5)
__________________
“Mi casa tendrá dos piernas y mis sueños no tendrán fronteras„ |
Tags |
#blacklistd, #firewall, #netbsd, #npf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Possible data leakage from OpenBSD workstation | alex_b83 | OpenBSD Security | 25 | 18th February 2016 12:55 AM |
New Workstation hardware question. | tedeumjorge | OpenBSD Installation and Upgrading | 7 | 16th November 2012 02:37 AM |
NetBSD as a workstation OS | laconic | NetBSD General | 16 | 3rd May 2010 09:54 PM |
Dual-head OpenBSD workstation? | DraconianTimes | OpenBSD General | 6 | 7th October 2008 04:22 PM |
News: BSD Workstation for sale | kace | FreeBSD General | 26 | 22nd May 2008 12:00 PM |