soho_gw-npf.conf revision 1.16
1 # $NetBSD: soho_gw-npf.conf,v 1.16 2019/09/21 21:10:56 sevan Exp $ 2 # 3 # SOHO border 4 # 5 # This is a natting border gateway/webserver/mailserver/nameserver 6 # IPv4 only 7 # 8 9 $ext_if = "wm0" 10 $ext_v4 = inet4(wm0) 11 $ext_addrs = ifaddrs(wm0) 12 13 $int_if = "wm1" 14 15 # a table to house e.g. block candidates in 16 table <block> type ipset file "/usr/share/examples/npf/hashtablefile" 17 # feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29 18 table <int-block> type lpm 19 20 $services_tcp = { http, https, smtp, domain, 6000, 9022 } 21 $services_udp = { domain, ntp, 6000 } 22 $localnet = { 198.51.100.0/24 } 23 24 # NAT outgoing to the address of the external interface 25 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 26 # then the translation address has to be specified explicitly. 27 map $ext_if dynamic $localnet -> $ext_v4 28 29 # NAT traffic arriving on port 9022 of the external interface address 30 # to host 198.51.100.2 port 22 31 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 32 33 procedure "log" { 34 # Send log events to npflog0, see npfd(8) 35 log: npflog0 36 } 37 38 group "external" on $ext_if { 39 # Allow all outbound traffic 40 pass stateful out all 41 42 # Block inbound traffic from those on the block table 43 block in from <block> 44 45 # Allow SSH on wired interface and log all connection attempts 46 pass stateful in family inet4 proto tcp to $ext_v4 port ssh \ 47 apply "log" 48 49 # Allow inbound traffic for services hosted on TCP 50 pass stateful in proto tcp to $ext_addrs port $services_tcp 51 52 # Allow inbound traffic for services hosted on TCP 53 pass stateful in proto udp to $ext_addrs port $services_udp 54 55 # Passive FTP 56 pass stateful in proto tcp to $ext_addrs port 49151-65535 57 58 # Allow being tracerouted 59 pass stateful in proto udp to $ext_addrs port 33434-33600 60 } 61 62 group "internal" on $int_if { 63 # Allow inbound traffic from LAN 64 pass in from <int-block> 65 66 # All outbound traffic to LAN 67 pass out all 68 } 69 70 group default { 71 # Default deny, otherwise last matching rule wins 72 block all apply "log" 73 74 # Don't block loopback 75 pass on lo0 all 76 77 # Allow incoming IPv4 pings 78 pass in family inet4 proto icmp icmp-type echo all 79 } 80
Indexes created Tue Oct 14 21:09:58 GMT 2025