Scribd Logo
Upload

Welcome to Scribd!

  • Npfconf

    Uploaded by

    thsilva85
    48 views3 pages
    NetBSD System Manager’sManual

    Original Title

    npfconf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    NetBSD System Manager’sManual

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    48 views3 pages

    Npfconf

    Uploaded by

    thsilva85
    NetBSD System Manager’sManual

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    NPF.CONF (8) NetBSD System Managers Manual NPF.

    CONF (8)

    NAME
    npf.conf NPF packet filter configuration file

    DESCRIPTION
    npf.conf is the default configuration file for NPF packet filter. It can contain definitions, grouped rules,
    and tables.

    DEFINITIONS
    Definitions are general purpose keywords which can be used in the ruleset to make it more flexible and easier
    to manage. Most commonly, definitions are used to define one of the following: IP addresses, networks,
    ports, or interfaces. Definitions can contain multiple elements.

    GROUPS
    Having one huge ruleset for all interfaces or directions might be inefficient; therefore, NPF requires that all
    rules be defined within groups. Groups can be thought of as higher level rules which have subrules. The
    main properties of a group are its interface and traffic direction. Packets matching group criteria are passed
    to the ruleset of that group. If a packet does not match any group, it is passed to the default group. The
    default group must always be defined.

    RULES
    Rules, which are the main part of NPF configuration, describe the criteria used to inspect and make decisions
    about packets. Currently, NPF supports filtering on the following criteria: interface, traffic direction, proto-
    col, IPv4 address or network, and TCP/UDP port or range. Supported actions are blocking or passing the
    packet.
    Each rule has a priority, which is set according to its order in the ruleset. Rules defined first are accordingly
    inspected first. All rules in the group are inspected sequentially, and the last matching dictates the action to
    be taken. Rules, however, may be explicitly marked as final (that is, "quick"). In such cases, processing
    stops after encountering the first matching rule marked as final. If there is no matching rule in the custom
    group, then rules in the default group will be inspected.
    Definitions (prefixed with "$") and tables (specified by an ID within "<>" marks) can be used in the filter
    options of rules.

    TABLES
    Certain configurations might use very large sets of IP addresses or change sets frequently. Storing large IP
    sets in the configuration file or performing frequent reloads can have a significant performance cost.
    In order to achieve high performance, NPF has tables. NPF tables provide separate storage designed for
    large IP sets and frequent updates without reloading the entire ruleset. Tables can be managed dynamically
    or loaded from a separate file, which is useful for large static tables. There are two types of storage: "tree"
    (red-black tree is used) and "hash".

    NAT
    Special rules for Network Address Translation (NAT) can be added. Translation is performed on specified
    interface, assigning a specified address of said interface. Minimal filtering criteria on local network and des-
    tination are provided.

    GRAMMAR
    line = ( def | table | nat | group )

    def = ( "{ a, b, ... }" | "text" | "$<interface>" )


    iface = ( <interface> | def )

    NetBSD 5.0.2 August 22, 2010 1


    NPF.CONF (8) NetBSD System Managers Manual NPF.CONF (8)

    table = "table" <tid> "type" ( "hash" | "tree" )


    ( "dynamic" | "file" <path> )

    nat = "nat" iface "from" <addr/mask> "to" <addr/mask> "->" <addr>

    group = "group" "(" ( "default" | group-opts ) "") ruleset


    group-opts = "interface" iface "," [ "in" | "out" ]

    ruleset = "{" rule1 <newline>, rule2 <newline>, ... "}"

    rule = ( "block" | "pass" ) [ "in" | out" ] rule-opts


    [ "on" iface ] [ "inet" | "inet6" ] [ "proto" <protocol> ]
    ( "all" | filt-opts )

    rule-opts = [ "log" ] [ "count" ] [ "quick" ]


    filt-opts = [ "from" ( iface | def | <addr/mask> | <tid> ) port-opts ]
    [ "to" ( iface | def | <addr/mask> | <tid> ) port-opts ]
    port-opts = [ "port" ( <port-num> | <port-from> ":" <port-to> | def ) ]

    FILES
    /dev/npf control device
    /etc/npf.conf default configuration file

    EXAMPLES
    ext_if = "wm0"
    int_if = "wm1"

    services_tcp = "{ http, https, smtp, domain, 6000 }"


    services_udp = "{ domain, ntp, 6000 }"

    table "1" type "hash" file "/etc/npf_blacklist"


    table "2" type "tree" dynamic

    nat $ext_if from 192.168.0.0/24 to 0.0.0.0/0 -> $ext_if

    group (name "external", interface $ext_if) {


    block in quick from <1>
    pass out quick from $ext_if keep state

    pass in log quick inet proto tcp to $ext_if port ssh


    pass in quick proto tcp to $ext_if port $services_tcp
    pass in quick proto udp to $ext_if port $services_udp
    pass in quick proto tcp to $ext_if port 49151:65535 # Passive FTP
    pass in quick proto udp to $ext_if port 33434:33600 # Traceroute
    }

    group (name "internal", interface $int_if) {


    block in all
    pass in quick from <2>
    pass out quick all
    }

    NetBSD 5.0.2 August 22, 2010 2


    NPF.CONF (8) NetBSD System Managers Manual NPF.CONF (8)

    group (default) {
    block all
    }

    SEE ALSO
    npfctl(8), npf_ncode(9)

    HISTORY
    NPF first appeared in NetBSD 6.0.

    NetBSD 5.0.2 August 22, 2010 3

    You might also like