Home | History | Annotate | Line # | Download | only in npf
soho_gw-npf.conf revision 1.21 
      1  1.21  tsutsui # $NetBSD: soho_gw-npf.conf,v 1.21 2023/07/31 16:09:01 tsutsui Exp $
      2   1.1      spz #
      3   1.1      spz # SOHO border
      4   1.1      spz #
      5   1.1      spz # This is a natting border gateway/webserver/mailserver/nameserver
      6   1.2      spz # IPv4 only
      7   1.1      spz #
      8   1.4    rmind 
      9   1.1      spz $ext_if = "wm0"
     10  1.21  tsutsui $ext_v4 = inet4($ext_if)
     11  1.21  tsutsui $ext_addrs = ifaddrs($ext_if)
     12   1.3      spz 
     13   1.1      spz $int_if = "wm1"
     14   1.1      spz 
     15  1.20    sevan # a "naughty" step^W table to house blocked candidates in
     16  1.20    sevan # feed this using e.g.: npfctl table "naughty" add 203.0.113.99
     17  1.20    sevan table <naughty> type ipset
     18   1.1      spz 
     19   1.1      spz $services_tcp = { http, https, smtp, domain, 6000, 9022 }
     20   1.1      spz $services_udp = { domain, ntp, 6000 }
     21   1.1      spz $localnet = { 198.51.100.0/24 }
     22   1.1      spz 
     23   1.1      spz # NAT outgoing to the address of the external interface
     24   1.1      spz # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
     25   1.1      spz # then the translation address has to be specified explicitly.
     26  1.15    sevan map $ext_if dynamic $localnet -> $ext_v4
     27   1.1      spz 
     28   1.1      spz # NAT traffic arriving on port 9022 of the external interface address
     29   1.1      spz # to host 198.51.100.2 port 22
     30   1.4    rmind map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
     31   1.1      spz 
     32   1.1      spz procedure "log" {
     33  1.15    sevan 	# Send log events to npflog0, see npfd(8)
     34   1.1      spz 	log: npflog0
     35   1.1      spz }
     36   1.1      spz 
     37   1.5      spz group "external" on $ext_if {
     38  1.15    sevan 	# Allow all outbound traffic
     39  1.13    sevan 	pass stateful out all
     40   1.1      spz 
     41  1.20    sevan 	# Block inbound traffic from those on the naughty table 
     42  1.20    sevan 	block in from <naughty>
     43  1.15    sevan 
     44  1.19    sevan 	# Placeholder for blacklistd (configuration separate) to add blocked hosts
     45  1.19    sevan 	ruleset "blacklistd"
     46  1.19    sevan 
     47  1.17    sevan 	# Allow inbound SSH and log all connection attempts
     48  1.13    sevan 	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
     49   1.1      spz 		apply "log"
     50  1.15    sevan 
     51  1.15    sevan 	# Allow inbound traffic for services hosted on TCP
     52  1.13    sevan 	pass stateful in proto tcp to $ext_addrs port $services_tcp
     53  1.15    sevan 
     54  1.17    sevan 	# Allow inbound traffic for services hosted on UDP
     55  1.13    sevan 	pass stateful in proto udp to $ext_addrs port $services_udp
     56   1.1      spz 
     57  1.16    sevan 	# Allow being tracerouted
     58  1.13    sevan 	pass stateful in proto udp to $ext_addrs port 33434-33600
     59   1.1      spz }
     60   1.1      spz 
     61   1.5      spz group "internal" on $int_if {
     62  1.15    sevan 	# Allow inbound traffic from LAN
     63  1.20    sevan 	pass in from $localnet
     64  1.15    sevan 
     65  1.15    sevan 	# All outbound traffic to LAN
     66  1.13    sevan 	pass out all
     67   1.1      spz }
     68   1.1      spz 
     69   1.5      spz group default {
     70  1.15    sevan 	# Default deny, otherwise last matching rule wins
     71  1.15    sevan 	block all apply "log"
     72  1.15    sevan 
     73  1.15    sevan 	# Don't block loopback
     74  1.13    sevan 	pass on lo0 all
     75  1.15    sevan 
     76  1.15    sevan 	# Allow incoming IPv4 pings
     77  1.15    sevan 	pass in family inet4 proto icmp icmp-type echo all
     78   1.1      spz }
     79