xref: /src/usr.sbin/npf/npftest/npftest.conf

# $NetBSD: npftest.conf,v 1.5.26.1 2019/06/10 22:10:35 christos Exp $

$ext_if = "npftest0"
$int_if = "npftest1"

#
# RFC 5737
#

$pub_ip1 = 192.0.2.1
$pub_ip2 = 192.0.2.2
$pub_ip3 = 192.0.2.3

$local_ip1 = 10.1.1.1
$local_ip2 = 10.1.1.2
$local_ip3 = 10.1.1.3
$local_ip4 = 10.1.1.4

$local_net = { 10.1.1.0/24 }
$ports = { 8000, 9000 }

map $ext_if static $local_ip3 <-> $pub_ip3
map $ext_if dynamic $local_ip2 <-> $pub_ip2
map $ext_if dynamic $local_net -> $pub_ip1
map $ext_if dynamic $local_ip1 port 6000 <- $pub_ip1 port 8000

$net6_inner = fd01:203:405::/48
$net6_outer = 2001:db8:1::/48

$net_a = 10.100.0.0/16
$net_b = 10.255.0.0/16

map $ext_if static algo npt66 $net6_inner <-> $net6_outer
map $ext_if static algo netmap $net_a <-> $net_b

group "ext" on $ext_if {
	pass out final from $local_ip3
	pass in final to $pub_ip3

	pass out final from $net6_inner
	pass in final to $net6_outer

	pass out final from $net_a
	pass in final to $net_b

	pass stateful out final proto tcp flags S/SA all
	pass stateful out final from $local_net
	pass stateful in final to any port $ports
	pass stateful in final proto icmp all
	block all
}

group "int" on $int_if {
	ruleset "test-rules"
	pass stateful out final to $local_ip2
	pass out final to $local_ip3
	block final to $local_ip4
}

group default {
	block all
}