xref: /netbsd-src/share/examples/npf/soho_gw-npf.conf (revision 782713e6c126f1866c6d9cfdee4ceb49483b5828) 
1# $NetBSD: soho_gw-npf.conf,v 1.20 2019/11/18 22:27:27 sevan Exp $
2#
3# SOHO border
4#
5# This is a natting border gateway/webserver/mailserver/nameserver
6# IPv4 only
7#
8
9$ext_if = "wm0"
10$ext_v4 = inet4(wm0)
11$ext_addrs = ifaddrs(wm0)
12
13$int_if = "wm1"
14
15# a "naughty" step^W table to house blocked candidates in
16# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
17table <naughty> type ipset
18
19$services_tcp = { http, https, smtp, domain, 6000, 9022 }
20$services_udp = { domain, ntp, 6000 }
21$localnet = { 198.51.100.0/24 }
22
23# NAT outgoing to the address of the external interface
24# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
25# then the translation address has to be specified explicitly.
26map $ext_if dynamic $localnet -> $ext_v4
27
28# NAT traffic arriving on port 9022 of the external interface address
29# to host 198.51.100.2 port 22
30map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
31
32procedure "log" {
33	# Send log events to npflog0, see npfd(8)
34	log: npflog0
35}
36
37group "external" on $ext_if {
38	# Allow all outbound traffic
39	pass stateful out all
40
41	# Block inbound traffic from those on the naughty table
42	block in from <naughty>
43
44	# Placeholder for blacklistd (configuration separate) to add blocked hosts
45	ruleset "blacklistd"
46
47	# Allow inbound SSH and log all connection attempts
48	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
49		apply "log"
50
51	# Allow inbound traffic for services hosted on TCP
52	pass stateful in proto tcp to $ext_addrs port $services_tcp
53
54	# Allow inbound traffic for services hosted on UDP
55	pass stateful in proto udp to $ext_addrs port $services_udp
56
57	# Allow being tracerouted
58	pass stateful in proto udp to $ext_addrs port 33434-33600
59}
60
61group "internal" on $int_if {
62	# Allow inbound traffic from LAN
63	pass in from $localnet
64
65	# All outbound traffic to LAN
66	pass out all
67}
68
69group default {
70	# Default deny, otherwise last matching rule wins
71	block all apply "log"
72
73	# Don't block loopback
74	pass on lo0 all
75
76	# Allow incoming IPv4 pings
77	pass in family inet4 proto icmp icmp-type echo all
78}
79