soho_gw-npf.conf revision 1.8
1 # $NetBSD: soho_gw-npf.conf,v 1.8 2019/04/10 23:00:43 sevan Exp $ 2 # 3 # SOHO border 4 # 5 # This is a natting border gateway/webserver/mailserver/nameserver 6 # IPv4 only 7 # 8 9 $ext_if = "wm0" 10 $ext_v4 = inet4(wm0) 11 $ext_addrs = { inet4(wm0), inet6(wm0) } 12 13 $int_if = "wm1" 14 15 # a table to house e.g. block candidates in 16 table <block> type ipset file "/usr/share/examples/npf/hashtablefile" 17 # feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29 18 table <int-block> type lpm 19 20 $services_tcp = { http, https, smtp, domain, 6000, 9022 } 21 $services_udp = { domain, ntp, 6000 } 22 $localnet = { 198.51.100.0/24 } 23 24 # NAT outgoing to the address of the external interface 25 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), 26 # then the translation address has to be specified explicitly. 27 map $ext_if dynamic 198.51.100.0/24 -> $ext_v4 28 29 # NAT traffic arriving on port 9022 of the external interface address 30 # to host 198.51.100.2 port 22 31 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 32 33 procedure "log" { 34 log: npflog0 35 } 36 37 group "external" on $ext_if { 38 pass stateful out final all 39 40 block in final from <block> 41 pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \ 42 apply "log" 43 pass stateful in final proto tcp to $ext_addrs port $services_tcp 44 pass stateful in final proto udp to $ext_addrs port $services_udp 45 46 # Passive FTP 47 pass stateful in final proto tcp to $ext_addrs port 49151-65535 48 # Traceroute 49 pass stateful in final proto udp to $ext_addrs port 33434-33600 50 } 51 52 group "internal" on $int_if { 53 block in all 54 pass in final from <int-block> 55 pass out final all 56 } 57 58 group default { 59 pass final on lo0 all 60 block all 61 } 62
Indexes created Fri Oct 03 02:09:57 GMT 2025