the example from the man page, with a few extra comments

2012-08-21 06:54:39 +00:00 · 2012-08-21 06:54:39 +00:00 · 52a0bf69ae
commit 52a0bf69ae
parent 184de6c4c4
1 changed files with 60 additions and 0 deletions
--- a/share/examples/npf/soho_gw-npf.conf
+++ b/share/examples/npf/soho_gw-npf.conf
@ -0,0 +1,60 @@
+# $NetBSD: soho_gw-npf.conf,v 1.1 2012/08/21 06:54:39 spz Exp $
+#
+# SOHO border
+#
+# This is a natting border gateway/webserver/mailserver/nameserver
+#
+$ext_if = "wm0"
+$int_if = "wm1"
+
+table <1> type hash file "/etc/npf_blacklist"
+# for NAT
+table <2> type tree dynamic
+
+$services_tcp = { http, https, smtp, domain, 6000, 9022 }
+$services_udp = { domain, ntp, 6000 }
+$localnet = { 198.51.100.0/24 }
+
+# NAT outgoing to the address of the external interface
+# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
+map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+
+# NAT traffic arriving on port 9022 of the external interface address
+# to host 198.51.100.2 port 22
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+
+procedure "log" {
+	log: npflog0
+}
+
+procedure "rid" {
+	normalise: "random-id"
+}
+
+group (name "external", interface $ext_if) {
+	pass stateful out final from $ext_if apply "rid"
+
+	block in final from <1>
+	pass stateful in final family inet proto tcp to $ext_if port ssh \
+		apply "log"
+	pass stateful in final proto tcp to $ext_if port $services_tcp
+	pass stateful in final proto udp to $ext_if port $services_udp
+
+	# Passive FTP
+	pass stateful in final proto tcp to $ext_if port 49151-65535
+	# Traceroute
+	pass stateful in final proto udp to $ext_if port 33434-33600
+}
+
+group (name "internal", interface $int_if) {
+	block in all
+	pass in final from <2>
+	pass out final all
+}
+
+group (default) {
+	pass final on lo0 all
+	block all
+}
+