xref: /src/share/examples/npf/soho_gw-npf.conf

# $NetBSD: soho_gw-npf.conf,v 1.8 2019/04/10 23:00:43 sevan Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = { inet4(wm0), inet6(wm0) }

$int_if = "wm1"

# a table to house e.g. block candidates in
table <block> type ipset file "/usr/share/examples/npf/hashtablefile"
# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
table <int-block> type lpm

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 198.51.100.0/24 }

# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic 198.51.100.0/24 -> $ext_v4

# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022

procedure "log" {
	log: npflog0
}

group "external" on $ext_if {
	pass stateful out final all

	block in final from <block>
	pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
		apply "log"
	pass stateful in final proto tcp to $ext_addrs port $services_tcp
	pass stateful in final proto udp to $ext_addrs port $services_udp

	# Passive FTP
	pass stateful in final proto tcp to $ext_addrs port 49151-65535
	# Traceroute
	pass stateful in final proto udp to $ext_addrs port 33434-33600
}

group "internal" on $int_if {
	block in all
	pass in final from <int-block>
	pass out final all
}

group default {
	pass final on lo0 all
	block all
}