# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $ # # SOHO border # # This is a natting border gateway/webserver/mailserver/nameserver # IPv4 only # $ext_if = "wm0" $ext_v4 = inet4(wm0) $ext_addrs = { inet4(wm0), inet6(wm0) } $int_if = "wm1" # a table to house e.g. block candidates in table type hash file "/usr/share/examples/npf/hashtablefile" # feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29 table type tree dynamic $services_tcp = { http, https, smtp, domain, 6000, 9022 } $services_udp = { domain, ntp, 6000 } $localnet = { 198.51.100.0/24 } # NAT outgoing to the address of the external interface # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 198.51.100.0/24 -> $ext_v4 # NAT traffic arriving on port 9022 of the external interface address # to host 198.51.100.2 port 22 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 procedure "log" { log: npflog0 } group "external" on $ext_if { pass stateful out final all block in final from pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \ apply "log" pass stateful in final proto tcp to $ext_addrs port $services_tcp pass stateful in final proto udp to $ext_addrs port $services_udp # Passive FTP pass stateful in final proto tcp to $ext_addrs port 49151-65535 # Traceroute pass stateful in final proto udp to $ext_addrs port 33434-33600 } group "internal" on $int_if { block in all pass in final from pass out final all } group default { pass final on lo0 all block all }