# $NetBSD: soho_gw-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = { ifnet(wm0) }

$int_if = "wm1"

# a table to house e.g. block candidates in
table <1> type hash file "/usr/share/examples/npf/hashtablefile"
# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
table <2> type tree dynamic

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 198.51.100.0/24 }

# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic 198.51.100.0/24 -> $ext_v4

# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
	pass stateful out final all

	block in final from <1>
	pass stateful in final family inet proto tcp to $ext_v4 port ssh \
		apply "log"
	pass stateful in final proto tcp to $ext_addrs port $services_tcp
	pass stateful in final proto udp to $ext_addrs port $services_udp

	# Passive FTP
	pass stateful in final proto tcp to $ext_addrs port 49151-65535
	# Traceroute
	pass stateful in final proto udp to $ext_addrs port 33434-33600
}

group "internal" on $int_if {
	block in all
	pass in final from <2>
	pass out final all
}

group default {
	pass final on lo0 all
	block all
}