Home | History | Annotate | Line # | Download | only in npf
soho_gw-npf.conf revision 1.21 
      1 # $NetBSD: soho_gw-npf.conf,v 1.21 2023/07/31 16:09:01 tsutsui Exp $
      2 #
      3 # SOHO border
      4 #
      5 # This is a natting border gateway/webserver/mailserver/nameserver
      6 # IPv4 only
      7 #
      8 
      9 $ext_if = "wm0"
     10 $ext_v4 = inet4($ext_if)
     11 $ext_addrs = ifaddrs($ext_if)
     12 
     13 $int_if = "wm1"
     14 
     15 # a "naughty" step^W table to house blocked candidates in
     16 # feed this using e.g.: npfctl table "naughty" add 203.0.113.99
     17 table <naughty> type ipset
     18 
     19 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
     20 $services_udp = { domain, ntp, 6000 }
     21 $localnet = { 198.51.100.0/24 }
     22 
     23 # NAT outgoing to the address of the external interface
     24 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
     25 # then the translation address has to be specified explicitly.
     26 map $ext_if dynamic $localnet -> $ext_v4
     27 
     28 # NAT traffic arriving on port 9022 of the external interface address
     29 # to host 198.51.100.2 port 22
     30 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
     31 
     32 procedure "log" {
     33 	# Send log events to npflog0, see npfd(8)
     34 	log: npflog0
     35 }
     36 
     37 group "external" on $ext_if {
     38 	# Allow all outbound traffic
     39 	pass stateful out all
     40 
     41 	# Block inbound traffic from those on the naughty table 
     42 	block in from <naughty>
     43 
     44 	# Placeholder for blacklistd (configuration separate) to add blocked hosts
     45 	ruleset "blacklistd"
     46 
     47 	# Allow inbound SSH and log all connection attempts
     48 	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
     49 		apply "log"
     50 
     51 	# Allow inbound traffic for services hosted on TCP
     52 	pass stateful in proto tcp to $ext_addrs port $services_tcp
     53 
     54 	# Allow inbound traffic for services hosted on UDP
     55 	pass stateful in proto udp to $ext_addrs port $services_udp
     56 
     57 	# Allow being tracerouted
     58 	pass stateful in proto udp to $ext_addrs port 33434-33600
     59 }
     60 
     61 group "internal" on $int_if {
     62 	# Allow inbound traffic from LAN
     63 	pass in from $localnet
     64 
     65 	# All outbound traffic to LAN
     66 	pass out all
     67 }
     68 
     69 group default {
     70 	# Default deny, otherwise last matching rule wins
     71 	block all apply "log"
     72 
     73 	# Don't block loopback
     74 	pass on lo0 all
     75 
     76 	# Allow incoming IPv4 pings
     77 	pass in family inet4 proto icmp icmp-type echo all
     78 }
     79