f692f6d8b0
between action and name. Use this table as the example for populating by npfctl. Drop the int-block table, it's quite cumbersome to have a firewall which needs the internal network lists added if reboot. Use the localnet variable to indicated which network we should pass in traffic from instead.
79 lines
2.0 KiB
Plaintext
79 lines
2.0 KiB
Plaintext
# $NetBSD: soho_gw-npf.conf,v 1.20 2019/11/18 22:27:27 sevan Exp $
|
|
#
|
|
# SOHO border
|
|
#
|
|
# This is a natting border gateway/webserver/mailserver/nameserver
|
|
# IPv4 only
|
|
#
|
|
|
|
$ext_if = "wm0"
|
|
$ext_v4 = inet4(wm0)
|
|
$ext_addrs = ifaddrs(wm0)
|
|
|
|
$int_if = "wm1"
|
|
|
|
# a "naughty" step^W table to house blocked candidates in
|
|
# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
|
|
table <naughty> type ipset
|
|
|
|
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
|
|
$services_udp = { domain, ntp, 6000 }
|
|
$localnet = { 198.51.100.0/24 }
|
|
|
|
# NAT outgoing to the address of the external interface
|
|
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
|
|
# then the translation address has to be specified explicitly.
|
|
map $ext_if dynamic $localnet -> $ext_v4
|
|
|
|
# NAT traffic arriving on port 9022 of the external interface address
|
|
# to host 198.51.100.2 port 22
|
|
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
|
|
|
|
procedure "log" {
|
|
# Send log events to npflog0, see npfd(8)
|
|
log: npflog0
|
|
}
|
|
|
|
group "external" on $ext_if {
|
|
# Allow all outbound traffic
|
|
pass stateful out all
|
|
|
|
# Block inbound traffic from those on the naughty table
|
|
block in from <naughty>
|
|
|
|
# Placeholder for blacklistd (configuration separate) to add blocked hosts
|
|
ruleset "blacklistd"
|
|
|
|
# Allow inbound SSH and log all connection attempts
|
|
pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
|
|
apply "log"
|
|
|
|
# Allow inbound traffic for services hosted on TCP
|
|
pass stateful in proto tcp to $ext_addrs port $services_tcp
|
|
|
|
# Allow inbound traffic for services hosted on UDP
|
|
pass stateful in proto udp to $ext_addrs port $services_udp
|
|
|
|
# Allow being tracerouted
|
|
pass stateful in proto udp to $ext_addrs port 33434-33600
|
|
}
|
|
|
|
group "internal" on $int_if {
|
|
# Allow inbound traffic from LAN
|
|
pass in from $localnet
|
|
|
|
# All outbound traffic to LAN
|
|
pass out all
|
|
}
|
|
|
|
group default {
|
|
# Default deny, otherwise last matching rule wins
|
|
block all apply "log"
|
|
|
|
# Don't block loopback
|
|
pass on lo0 all
|
|
|
|
# Allow incoming IPv4 pings
|
|
pass in family inet4 proto icmp icmp-type echo all
|
|
}
|