soho_gw-npf.conf revision 1.17
1 1.17 sevan # $NetBSD: soho_gw-npf.conf,v 1.17 2019/09/21 23:55:01 sevan Exp $ 2 1.1 spz # 3 1.1 spz # SOHO border 4 1.1 spz # 5 1.1 spz # This is a natting border gateway/webserver/mailserver/nameserver 6 1.2 spz # IPv4 only 7 1.1 spz # 8 1.4 rmind 9 1.1 spz $ext_if = "wm0" 10 1.3 spz $ext_v4 = inet4(wm0) 11 1.12 sevan $ext_addrs = ifaddrs(wm0) 12 1.3 spz 13 1.1 spz $int_if = "wm1" 14 1.1 spz 15 1.2 spz # a table to house e.g. block candidates in 16 1.8 sevan table <block> type ipset file "/usr/share/examples/npf/hashtablefile" 17 1.6 rmind # feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29 18 1.8 sevan table <int-block> type lpm 19 1.1 spz 20 1.1 spz $services_tcp = { http, https, smtp, domain, 6000, 9022 } 21 1.1 spz $services_udp = { domain, ntp, 6000 } 22 1.1 spz $localnet = { 198.51.100.0/24 } 23 1.1 spz 24 1.1 spz # NAT outgoing to the address of the external interface 25 1.1 spz # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 26 1.1 spz # then the translation address has to be specified explicitly. 27 1.15 sevan map $ext_if dynamic $localnet -> $ext_v4 28 1.1 spz 29 1.1 spz # NAT traffic arriving on port 9022 of the external interface address 30 1.1 spz # to host 198.51.100.2 port 22 31 1.4 rmind map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 32 1.1 spz 33 1.1 spz procedure "log" { 34 1.15 sevan # Send log events to npflog0, see npfd(8) 35 1.1 spz log: npflog0 36 1.1 spz } 37 1.1 spz 38 1.5 spz group "external" on $ext_if { 39 1.15 sevan # Allow all outbound traffic 40 1.13 sevan pass stateful out all 41 1.1 spz 42 1.15 sevan # Block inbound traffic from those on the block table 43 1.13 sevan block in from <block> 44 1.15 sevan 45 1.17 sevan # Allow inbound SSH and log all connection attempts 46 1.13 sevan pass stateful in family inet4 proto tcp to $ext_v4 port ssh \ 47 1.1 spz apply "log" 48 1.15 sevan 49 1.15 sevan # Allow inbound traffic for services hosted on TCP 50 1.13 sevan pass stateful in proto tcp to $ext_addrs port $services_tcp 51 1.15 sevan 52 1.17 sevan # Allow inbound traffic for services hosted on UDP 53 1.13 sevan pass stateful in proto udp to $ext_addrs port $services_udp 54 1.1 spz 55 1.1 spz # Passive FTP 56 1.13 sevan pass stateful in proto tcp to $ext_addrs port 49151-65535 57 1.16 sevan 58 1.16 sevan # Allow being tracerouted 59 1.13 sevan pass stateful in proto udp to $ext_addrs port 33434-33600 60 1.1 spz } 61 1.1 spz 62 1.5 spz group "internal" on $int_if { 63 1.15 sevan # Allow inbound traffic from LAN 64 1.13 sevan pass in from <int-block> 65 1.15 sevan 66 1.15 sevan # All outbound traffic to LAN 67 1.13 sevan pass out all 68 1.1 spz } 69 1.1 spz 70 1.5 spz group default { 71 1.15 sevan # Default deny, otherwise last matching rule wins 72 1.15 sevan block all apply "log" 73 1.15 sevan 74 1.15 sevan # Don't block loopback 75 1.13 sevan pass on lo0 all 76 1.15 sevan 77 1.15 sevan # Allow incoming IPv4 pings 78 1.15 sevan pass in family inet4 proto icmp icmp-type echo all 79 1.1 spz } 80
Indexes created Mon Oct 13 04:09:54 GMT 2025