62 lines
1.6 KiB
Plaintext
62 lines
1.6 KiB
Plaintext
# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
|
|
#
|
|
# SOHO border
|
|
#
|
|
# This is a natting border gateway/webserver/mailserver/nameserver
|
|
# IPv4 only
|
|
#
|
|
|
|
$ext_if = "wm0"
|
|
$ext_v4 = inet4(wm0)
|
|
$ext_addrs = { inet4(wm0), inet6(wm0) }
|
|
|
|
$int_if = "wm1"
|
|
|
|
# a table to house e.g. block candidates in
|
|
table <block> type hash file "/usr/share/examples/npf/hashtablefile"
|
|
# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
|
|
table <int-block> type tree dynamic
|
|
|
|
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
|
|
$services_udp = { domain, ntp, 6000 }
|
|
$localnet = { 198.51.100.0/24 }
|
|
|
|
# NAT outgoing to the address of the external interface
|
|
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
|
|
# then the translation address has to be specified explicitly.
|
|
map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
|
|
|
|
# NAT traffic arriving on port 9022 of the external interface address
|
|
# to host 198.51.100.2 port 22
|
|
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
|
|
|
|
procedure "log" {
|
|
log: npflog0
|
|
}
|
|
|
|
group "external" on $ext_if {
|
|
pass stateful out final all
|
|
|
|
block in final from <block>
|
|
pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
|
|
apply "log"
|
|
pass stateful in final proto tcp to $ext_addrs port $services_tcp
|
|
pass stateful in final proto udp to $ext_addrs port $services_udp
|
|
|
|
# Passive FTP
|
|
pass stateful in final proto tcp to $ext_addrs port 49151-65535
|
|
# Traceroute
|
|
pass stateful in final proto udp to $ext_addrs port 33434-33600
|
|
}
|
|
|
|
group "internal" on $int_if {
|
|
block in all
|
|
pass in final from <int-block>
|
|
pass out final all
|
|
}
|
|
|
|
group default {
|
|
pass final on lo0 all
|
|
block all
|
|
}
|