Create a gist now

Instantly share code, notes, and snippets.

Embed
Example NaCl config for a simple firewall.
Iface outside {
address: 10.0.0.2,
netmask: 255.255.255.0,
gateway: 10.0.0.1,
index: 0
}
Iface inside {
address: 192.168.0.1,
netmask: 255.255.255.0,
index: 1
}
Gateway myGateway {
forward: firewallchain,
outside_route: {
net: 10.0.0.0,
netmask: 255.255.255.0,
Iface: outside
},
inside_route: {
net: 192.168.0.0,
netmask: 255.255.255.0,
iface: inside
},
default_route: {
net: 0.0.0.0,
netmask: 0.0.0.0,
nexthop: 10.0.0.1,
iface: outside
}
}
Syslog settings {
address: 192.168.0.231,
port: 6514
}
bastion_host: 10.55.1.1
allowed_services: [80,443]
allowed_hosts: [192.168.0.10 - 192.168.0.200]
Filter::IP firewallchain {
if (ct.state == established) {
syslog(INFO, "Accepting packet from an already established connection (from ", ip.saddr, ")")
accept
}
if (ip.saddr == bastion_host) {
accept
}
Filter::TCP {
if (ip.daddr in allowed_hosts and tcp.dport in allowed_services) {
syslog(INFO, "New connection established (from ", ip.saddr, ")")
accept
}
} // end TCP
syslog(WARNING, "Dropping packet from saddr ", ip.saddr," to ", ip.daddr)
drop
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment