NPF est intégré à NetBSD.
La configuration la plus basique consiste à placer un fichier de règles : /etc/npf.conf
Voici un fichier exemple que j'ai rédigé :
- Le serveur peut communiquer en stateful sur internet, sans restriction
- Toutes les connexions entrantes sont bloquées, à l'exception du port SSH
- Une table 'fail2ban' est créée ainsi qu'une règle de blocage des IP contenues (au cas où vous installeriez fail2ban par la suite).
A vous d'adapter en fonction de vos besoins.
Faîtes attention, la syntaxe est redoutable sur NPF.
########################################################################
# 1 - Provide information about your network interface(s):
# WAN Interface :
$WAN_if = 'wm0'
$WAN_addrs = ifaddrs(wm0)
alg 'icmp'
########################################################################
# 2 - RFC1918 (is WAN_addrs public or private IP ?)
# The RFC protects the server from private networks in case it is directly facing the internet.
# (Uncomment only if the WAN IP is a public IP address)
#$RFC1918 = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
########################################################################
# 3 - Create a procedure for logging connections:
procedure 'log' {
# Send all events to a log (see npfd))
log: npflog0
}
########################################################################
# 4 - Create tables
# Create a table for fail2ban
table <fail2ban> type ipset
########################################################################
# 5 - Rule group for the WAN interface:
group 'WAN' on $WAN_if {
# Block IP from fail2ban table
block in final from <fail2ban> apply 'log'
# Allow all stateful outgoing traffic by selecting the protocol:
#pass stateful out final proto tcp all
#pass stateful out final proto udp all
#pass stateful out final proto icmp all
#pass stateful out final proto ipv6-icmp all
# Allow all stateful outgoing traffic (all protocols).
pass stateful out final all
# SSH: Allow SSH connections to the server
pass stateful in on $WAN_if proto tcp to $WAN_addrs port ssh
# Web Server: Allow HTTP and HTTPS connections to the server
#pass in final proto tcp from any to $WAN_addrs port http
#pass in final proto tcp from any to $WAN_addrs port https
# DHCP: Allow incoming responses from the DHCP server.
#pass in family inet4 proto udp from any port bootps to any port bootpc
#pass in family inet6 proto udp from any to any port 'dhcpv6-client'
# Ping: Allow incoming ping requests
#pass in family inet4 proto icmp icmp-type echo all
#pass in final proto icmp icmp-type echo all
#pass in final proto icmp icmp-type timxceed all
#pass in final proto icmp icmp-type unreach all
#pass in final proto icmp icmp-type echoreply all
#pass in final proto icmp icmp-type sourcequench all
#pass in final proto icmp icmp-type paramprob all
#pass in final proto ipv6-icmp all
#pass family inet6 proto ipv6-icmp all
# Traceroute: Allow incoming traceroute.
#pass in proto udp to any port 33434-33600
# DNS: Allow incoming DNS requests
#pass stateful out final proto udp to any port domain
# mDNS: Allow local traffic
#pass in proto udp to any port mdns
# Block private networks:
#block in final from $RFC1918 apply 'log'
#block out final to $RFC1918 apply 'log'
# Forbidden IPs: (separate configuration)
# ruleset 'blacklistd'
# IP Spoofing: Protect yourself (be careful not to cut off SSH access!)
#block in final from 127.0.0.1 apply 'log'
# L2TP/IPSEC-NAT-T Tunnels.
#pass in final proto esp from any to inet4($WAN_if)
#pass out final proto esp from inet4($WAN_if) to any
#pass stateful in final from any to inet4($WAN_if) port 'ipsec-nat-t'
#pass stateful in final from any to inet4($WAN_if) port l2tp
# IGMP on 224.0.0.1.
#pass in final proto igmp all
#pass in final from any to 224.0.0.0/4
# VNC
#pass in final proto tcp from any to any port 5900
}
########################################################################
# 6 - Default rule group:
group default {
# Loopback : Allow traffic
pass final on lo0 all
# Close the firewall
block all apply 'log'
}
########################################################################N'oubliez pas la directive dans /etc/rc.conf pour le démarrage du pare-feu au redémarrage du serveur :
echo npf=YES >> /etc/rc.confActivez le pare-feu :
service npf start