NPF.CONF(5) File Formats Manual NPF.CONF(5)
NAME
npf.confNPF packet filter configuration file
DESCRIPTION
npf.conf is the default configuration file for NPF packet filter. It can contain definitions, grouped rules, and tables.
DEFINITIONS
Definitions are general purpose keywords which can be used in the ruleset to make it more flexible and easier to manage. Most commonly, definitions are used to define one of the following: IP addresses, networks, ports, or interfaces. Definitions can contain multiple elements.
GROUPS
Having one huge ruleset for all interfaces or directions might be inefficient; therefore, NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which have subrules. The main properties of a group are its interface and traffic direction. Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the default group. The default group must always be defined.
RULES
Rules, which are the main part of NPF configuration, describe the criteria used to inspect and make decisions about packets. Currently, NPF supports filtering on the following criteria: interface, traffic direction, protocol, IPv4 address or network, and TCP/UDP port or range. Supported actions are blocking or passing the packet.
 
Each rule has a priority, which is set according to its order in the ruleset. Rules defined first are accordingly inspected first. All rules in the group are inspected sequentially, and the last matching dictates the action to be taken. Rules, however, may be explicitly marked as final (that is, "quick"). In such cases, processing stops after encountering the first matching rule marked as final. If there is no matching rule in the custom group, then rules in the default group will be inspected.
 
Definitions (prefixed with "$") and tables (specified by an ID within "<>" marks) can be used in the filter options of rules.
TABLES
Certain configurations might use very large sets of IP addresses or change sets frequently. Storing large IP sets in the configuration file or performing frequent reloads can have a significant performance cost.
 
In order to achieve high performance, NPF has tables. NPF tables provide separate storage designed for large IP sets and frequent updates without reloading the entire ruleset. Tables can be managed dynamically or loaded from a separate file, which is useful for large static tables. There are two types of storage: "tree" (red-black tree is used) and "hash".
NAT
Special rules for Network Address Translation (NAT) can be added. Translation is performed on specified interface, assigning a specified address of said interface. Minimal filtering criteria on local network and destination are provided.
GRAMMAR
line = ( def | table | nat | group ) def = ( <name> "=" "{ a, b, ... }" | "text" | "$<interface>" ) iface = ( <interface> | def ) table = "table" <tid> "type" ( "hash" | "tree" ) ( "dynamic" | "file" <path> ) nat = "nat" iface filt-opts "->" <addr> binat = "binat" iface filt-opts "->" <addr> rdr = "rdr" iface filt-opts "->" <addr> port-opts group = "group" "(" ( "default" | group-opts ) "") ruleset group-opts = "interface" iface "," [ "in" | "out" ] ruleset = "{" rule1 <newline>, rule2 <newline>, ... "}" rule = ( "block" block-opts | "pass" ) [ "in" | out" ] rule-opts [ "on" iface ] [ "inet" | "inet6" ] [ "proto" <protocol> ] ( "all" | filt-opts [ "flags" <tcp_flags> > ) block-opts = [ "return-rst" | "return-icmp" | "return" ] rule-opts = [ "log" ] [ "count" ] [ "quick" ] filt-opts = [ "from" ( iface | def | <addr/mask> | <tid> ) port-opts ] [ "to" ( iface | def | <addr/mask> | <tid> ) port-opts ] port-opts = [ "port" ( <port-num> | <port-from> ":" <port-to> | def ) ] proto-opts = [ "flags" <tcp_flags> | "icmp-type" <type> "code" <code> ]
FILES
/dev/npf
control device
/etc/npf.conf
default configuration file
EXAMPLES
ext_if = "wm0" int_if = "wm1" services_tcp = "{ http, https, smtp, domain, 6000 }" services_udp = "{ domain, ntp, 6000 }" table "1" type "hash" file "/etc/npf_blacklist" table "2" type "tree" dynamic nat $ext_if from 192.168.0.0/24 to 0.0.0.0/0 -> $ext_if group (name "external", interface $ext_if) { block in quick from <1> pass out quick from $ext_if keep state pass in log quick inet proto tcp to $ext_if port ssh pass in quick proto tcp to $ext_if port $services_tcp pass in quick proto udp to $ext_if port $services_udp pass in quick proto tcp to $ext_if port 49151:65535 # Passive FTP pass in quick proto udp to $ext_if port 33434:33600 # Traceroute } group (name "internal", interface $int_if) { block in all pass in quick from <2> pass out quick all } group (default) { block all }
SEE ALSO
HISTORY
NPF first appeared in NetBSD 6.0.