1 1.21 tsutsui # $NetBSD: soho_gw-npf.conf,v 1.21 2023/07/31 16:09:01 tsutsui Exp $ 2 1.1 spz # 3 1.1 spz # SOHO border 4 1.1 spz # 5 1.1 spz # This is a natting border gateway/webserver/mailserver/nameserver 6 1.2 spz # IPv4 only 7 1.1 spz # 8 1.4 rmind 9 1.1 spz $ext_if = "wm0" 10 1.21 tsutsui $ext_v4 = inet4($ext_if) 11 1.21 tsutsui $ext_addrs = ifaddrs($ext_if) 12 1.3 spz 13 1.1 spz $int_if = "wm1" 14 1.1 spz 15 1.20 sevan # a "naughty" step^W table to house blocked candidates in 16 1.20 sevan # feed this using e.g.: npfctl table "naughty" add 203.0.113.99 17 1.20 sevan table <naughty> type ipset 18 1.1 spz 19 1.1 spz $services_tcp = { http, https, smtp, domain, 6000, 9022 } 20 1.1 spz $services_udp = { domain, ntp, 6000 } 21 1.1 spz $localnet = { 198.51.100.0/24 } 22 1.1 spz 23 1.1 spz # NAT outgoing to the address of the external interface 24 1.1 spz # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 25 1.1 spz # then the translation address has to be specified explicitly. 26 1.15 sevan map $ext_if dynamic $localnet -> $ext_v4 27 1.1 spz 28 1.1 spz # NAT traffic arriving on port 9022 of the external interface address 29 1.1 spz # to host 198.51.100.2 port 22 30 1.4 rmind map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 31 1.1 spz 32 1.1 spz procedure "log" { 33 1.15 sevan # Send log events to npflog0, see npfd(8) 34 1.1 spz log: npflog0 35 1.1 spz } 36 1.1 spz 37 1.5 spz group "external" on $ext_if { 38 1.15 sevan # Allow all outbound traffic 39 1.13 sevan pass stateful out all 40 1.1 spz 41 1.20 sevan # Block inbound traffic from those on the naughty table 42 1.20 sevan block in from <naughty> 43 1.15 sevan 44 1.19 sevan # Placeholder for blacklistd (configuration separate) to add blocked hosts 45 1.19 sevan ruleset "blacklistd" 46 1.19 sevan 47 1.17 sevan # Allow inbound SSH and log all connection attempts 48 1.13 sevan pass stateful in family inet4 proto tcp to $ext_v4 port ssh \ 49 1.1 spz apply "log" 50 1.15 sevan 51 1.15 sevan # Allow inbound traffic for services hosted on TCP 52 1.13 sevan pass stateful in proto tcp to $ext_addrs port $services_tcp 53 1.15 sevan 54 1.17 sevan # Allow inbound traffic for services hosted on UDP 55 1.13 sevan pass stateful in proto udp to $ext_addrs port $services_udp 56 1.1 spz 57 1.16 sevan # Allow being tracerouted 58 1.13 sevan pass stateful in proto udp to $ext_addrs port 33434-33600 59 1.1 spz } 60 1.1 spz 61 1.5 spz group "internal" on $int_if { 62 1.15 sevan # Allow inbound traffic from LAN 63 1.20 sevan pass in from $localnet 64 1.15 sevan 65 1.15 sevan # All outbound traffic to LAN 66 1.13 sevan pass out all 67 1.1 spz } 68 1.1 spz 69 1.5 spz group default { 70 1.15 sevan # Default deny, otherwise last matching rule wins 71 1.15 sevan block all apply "log" 72 1.15 sevan 73 1.15 sevan # Don't block loopback 74 1.13 sevan pass on lo0 all 75 1.15 sevan 76 1.15 sevan # Allow incoming IPv4 pings 77 1.15 sevan pass in family inet4 proto icmp icmp-type echo all 78 1.1 spz } 79
Indexes created Wed Oct 01 15:09:59 GMT 2025