soho_gw-npf.conf revision 1.1
1 # $NetBSD: soho_gw-npf.conf,v 1.1 2012/08/21 06:54:39 spz Exp $ 2 # 3 # SOHO border 4 # 5 # This is a natting border gateway/webserver/mailserver/nameserver 6 # 7 $ext_if = "wm0" 8 $int_if = "wm1" 9 10 table <1> type hash file "/etc/npf_blacklist" 11 # for NAT 12 table <2> type tree dynamic 13 14 $services_tcp = { http, https, smtp, domain, 6000, 9022 } 15 $services_udp = { domain, ntp, 6000 } 16 $localnet = { 198.51.100.0/24 } 17 18 # NAT outgoing to the address of the external interface 19 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 20 # then the translation address has to be specified explicitly. 21 map $ext_if dynamic 198.51.100.0/24 -> $ext_if 22 23 # NAT traffic arriving on port 9022 of the external interface address 24 # to host 198.51.100.2 port 22 25 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022 26 27 procedure "log" { 28 log: npflog0 29 } 30 31 procedure "rid" { 32 normalise: "random-id" 33 } 34 35 group (name "external", interface $ext_if) { 36 pass stateful out final from $ext_if apply "rid" 37 38 block in final from <1> 39 pass stateful in final family inet proto tcp to $ext_if port ssh \ 40 apply "log" 41 pass stateful in final proto tcp to $ext_if port $services_tcp 42 pass stateful in final proto udp to $ext_if port $services_udp 43 44 # Passive FTP 45 pass stateful in final proto tcp to $ext_if port 49151-65535 46 # Traceroute 47 pass stateful in final proto udp to $ext_if port 33434-33600 48 } 49 50 group (name "internal", interface $int_if) { 51 block in all 52 pass in final from <2> 53 pass out final all 54 } 55 56 group (default) { 57 pass final on lo0 all 58 block all 59 } 60 61
Indexes created Wed Oct 15 07:09:58 GMT 2025