1# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $ 2# 3# SOHO border 4# 5# This is a natting border gateway/webserver/mailserver/nameserver 6# IPv4 only 7# 8 9$ext_if = "wm0" 10$ext_v4 = inet4(wm0) 11$ext_addrs = { inet4(wm0), inet6(wm0) } 12 13$int_if = "wm1" 14 15# a table to house e.g. block candidates in 16table <block> type hash file "/usr/share/examples/npf/hashtablefile" 17# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29 18table <int-block> type tree dynamic 19 20$services_tcp = { http, https, smtp, domain, 6000, 9022 } 21$services_udp = { domain, ntp, 6000 } 22$localnet = { 198.51.100.0/24 } 23 24# NAT outgoing to the address of the external interface 25# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 26# then the translation address has to be specified explicitly. 27map $ext_if dynamic 198.51.100.0/24 -> $ext_v4 28 29# NAT traffic arriving on port 9022 of the external interface address 30# to host 198.51.100.2 port 22 31map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 32 33procedure "log" { 34 log: npflog0 35} 36 37group "external" on $ext_if { 38 pass stateful out final all 39 40 block in final from <block> 41 pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \ 42 apply "log" 43 pass stateful in final proto tcp to $ext_addrs port $services_tcp 44 pass stateful in final proto udp to $ext_addrs port $services_udp 45 46 # Passive FTP 47 pass stateful in final proto tcp to $ext_addrs port 49151-65535 48 # Traceroute 49 pass stateful in final proto udp to $ext_addrs port 33434-33600 50} 51 52group "internal" on $int_if { 53 block in all 54 pass in final from <int-block> 55 pass out final all 56} 57 58group default { 59 pass final on lo0 all 60 block all 61} 62