Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

# $NetBSD: l2tp_gw-npf.conf,v 1.6 2016/02/06 20:19:28 riastradh Exp $
#
# ex0 - (internal) network interface
#	192.0.2.254/24
# hme0 - (external) connection to Peer
#	198.51.100.142/24

$int_if = "ex0"
$ext_if = "hme0"

$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }

alg "icmp"

#
# NAT for all.
#
map $ext_if dynamic 192.0.2.0/24 -> inet4($ext_if)

#table <1> type tree file "/etc/npf_problem_sites"

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
	#
	# Allow DHCP requests (even to reserved addresses).
	#
	pass out final proto udp from any port bootpc to any port bootps
	pass in final proto udp from any port bootps to any port bootpc
	pass in final proto udp from any port bootps to 255.255.255.255 port bootpc
	#
	# Allow DNS queries
	#
	pass stateful out final proto udp to any port domain

	# Problem sites.
	#block in final from <1> apply "log"

	#
	# Block IANA-reserved addresses from entering or exiting
	#
	block in final from $private_addr apply "log"
	block out final to $private_addr apply "log"
	#
	pass stateful out final proto tcp all
	pass stateful out final proto udp all
	pass stateful out final proto icmp all
	pass stateful out final proto ipv6-icmp all

	block in final proto tcp to 192.0.2.255 apply "log"

	#
	# Prevent IP spoofing attacks on the firewall.
	#
	block in final from 127.0.0.1 apply "log"

	#
	# L2TP/IPSEC-NAT-T Tunnels.
	#
	pass in final proto esp from any to inet4($ext_if)
	pass out final proto esp from inet4($ext_if) to any
	pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t"
	pass stateful in final from any to inet4($ext_if) port l2tp

	#
	# Pass multicast.
	# IGMP uses 224.0.0.1.
	#
	pass in final proto igmp all
	pass in final from any to 224.0.0.0/4

	#
	# Pass established connections.
	#
	pass in final proto tcp flags A/A all
	pass in final proto tcp flags R/R all
	#
	# VNC
	#
	pass in final proto tcp from any to any port 5500

	#
	# Web servers
	#
	#pass in final proto tcp from any to <A>/<M> port http

	#
	# Services on localhost.
	#
	#pass in final proto udp from any port ntp
	#pass in final to any port imap
	#pass in final to any port domain
	#pass in final proto tcp to any port smtp
	#pass in final proto tcp to any port auth
	#pass in final proto tcp to any port ssh
	#pass in final proto tcp to any port bgp
	#pass in final proto tcp to any port ftp
	#pass in final proto tcp to any port "ftp-data"
	#pass in final proto udp to any port isakmp
	#pass in final proto udp to any port 8001
	#pass in final proto tcp to inet4($ext_if) port www

	#
	# Handle traceroute gracefully for up-to 30 hops away.
	# FIXME: port-unr for ICMP is not yet supported.
	#
	block return-icmp in final proto udp to any port 33433-33524 apply "log"

	#
	# Only allow selected ICMP types.
	#
	pass in final proto icmp icmp-type echo all
	pass in final proto icmp icmp-type timxceed all
	pass in final proto icmp icmp-type unreach all
	pass in final proto icmp icmp-type echoreply all
	pass in final proto icmp icmp-type sourcequench all
	pass in final proto icmp icmp-type paramprob all
	pass in final proto ipv6-icmp all

	#
	# Send back a reset for new connections on tcp.
	#
	block return-rst in final proto tcp flags S/SA all apply "log"
}

group "internal" on $int_if {
	# Pass everything to internal networks,
	# should be ok, because we are nat'ed.
	pass final all
}

group default {
	# Loopback interface should allows packets to traverse it.
	pass final on lo0 all
	# For one L2TP tunnel, needs interface pre-created, post-destroyed
	pass final on ppp0 all

	#
	# Block everything by default.
	#
	block final all apply "log"
}