$int_if = "bge0" $ext_if = "sk0" set bpf.jit on; alg "icmp" # FIXME: "with short" is not yet supported, but we can a) easily add # an extension for it b) use BPF rule once npfctl grows support. # *Nasty* packets we don't want to allow near us at all! # short packets which are packets fragmented too short to be real. #block in log quick all with short # # NAT for all. # map $ext_if dynamic 192.168.2.0/24 -> inet4($ext_if) procedure "log" { log: npflog0 } group "external" on $ext_if { # # OpenVPN greek server # pass in final from 176.67.84.178 port 1448 # # Allow DHCP requests (even to reserved addresses). # pass out final proto udp from any port bootpc to any port bootps pass in final proto udp from any port bootps to any port bootpc pass out final proto udp from any port "dhcpv6-client" to any port "dhcpv6-server" pass in final proto udp from any port "dhcpv6-server" to any port "dhcpv6-client" # # Allow DNS queries # pass stateful out final proto udp to any port domain # Problem sites. ruleset "blacklistd" # # Block IANA-reserved addresses from entering or exiting # block in final from 10.0.0.0/8 apply "log" block in final from 172.16.0.0/12 apply "log" block in final from 192.168.0.0/16 apply "log" # block out final to 10.0.0.0/8 apply "log" block out final to 172.16.0.0/12 apply "log" block out final to 192.168.0.0/16 apply "log" # pass stateful out final proto tcp all pass stateful out final proto udp all pass stateful out final proto icmp all pass stateful out final proto ipv6-icmp all # # Block traffic to broadcast addresses # block in final proto tcp to 192.168.2.255 apply "log" # # Prevent IP spoofing attacks on the firewall. # block in final from 127.0.0.1 apply "log" # # Tunnels. # pass in final proto esp from any to inet4($ext_if) pass out final proto esp from inet4($ext_if) to any pass stateful in final from any to inet4($ext_if) port "ipsec-nat-t" pass stateful in final from any to inet4($ext_if) port l2tp # Pass multicast. # IGMP uses 224.0.0.1. # pass in final proto igmp all pass in final from any to 224.0.0.0/4 pass in final from any to ff00::/8 # # Block packets with options (e.g. source route) and short TCP fragments. # FIXME: not yet supported. # # block return-icmp in log final all with ipopts # # Pass established connections. # pass stateful in final proto tcp flags A/A all pass stateful in final proto tcp flags R/R all # # VNC # pass stateful in final proto tcp from any to any port 5500 # # Web servers # #pass stateful in final proto tcp from any to / port http # # Services on gw1. # pass in final proto udp from any port ntp # pass in final to any port imap # pass in final to any port domain # pass stateful in final proto tcp to any port smtp # pass stateful in final proto tcp to any port auth # pass stateful in final proto tcp from any to any port http pass stateful in final proto tcp to any port ssh # pass stateful in final proto tcp to any port bgp # pass stateful in final proto tcp to any port ftp # pass stateful in final proto tcp to any port "ftp-data" # pass stateful in final proto tcp to any port 6161 pass in final proto udp to any port isakmp pass in final proto udp to any port 8001 pass stateful in final proto tcp to 192.168.2.9 port www # # Handle traceroute gracefully for up-to 30 hops away. # FIXME: port-unr for ICMP is not yet supported. # block return-icmp in final proto udp to any port 33433-33524 apply "log" # # Only allow selected ICMP types. # pass in final proto icmp icmp-type echo all pass in final proto icmp icmp-type timxceed all pass in final proto icmp icmp-type unreach all pass in final proto icmp icmp-type echoreply all pass in final proto icmp icmp-type sourcequench all pass in final proto icmp icmp-type paramprob all pass in final proto ipv6-icmp all # # Send back a reset for new connections on tcp. # # block return-rst in final proto tcp flags S/SA all apply "log" block final all apply "log" } group "internal" on $int_if { # Pass everything to internal networks, # should be ok, because we are nat'ed. pass final all } group default { # Loopback interface should allows packets to traverse it. pass final on lo0 all pass final on ppp0 all pass final on ppp1 all pass final on ppp2 all # # Block everything by default. # block final all apply "log" }