# $NetBSD: soho_gw-npf.conf,v 1.21 2023/07/31 16:09:01 tsutsui Exp $ # # SOHO border # # This is a natting border gateway/webserver/mailserver/nameserver # IPv4 only # $ext_if = "wm0" $ext_v4 = inet4($ext_if) $ext_addrs = ifaddrs($ext_if) $int_if = "wm1" # a "naughty" step^W table to house blocked candidates in # feed this using e.g.: npfctl table "naughty" add 203.0.113.99 table type ipset $services_tcp = { http, https, smtp, domain, 6000, 9022 } $services_udp = { domain, ntp, 6000 } $localnet = { 198.51.100.0/24 } # NAT outgoing to the address of the external interface # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic $localnet -> $ext_v4 # NAT traffic arriving on port 9022 of the external interface address # to host 198.51.100.2 port 22 map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022 procedure "log" { # Send log events to npflog0, see npfd(8) log: npflog0 } group "external" on $ext_if { # Allow all outbound traffic pass stateful out all # Block inbound traffic from those on the naughty table block in from # Placeholder for blacklistd (configuration separate) to add blocked hosts ruleset "blacklistd" # Allow inbound SSH and log all connection attempts pass stateful in family inet4 proto tcp to $ext_v4 port ssh \ apply "log" # Allow inbound traffic for services hosted on TCP pass stateful in proto tcp to $ext_addrs port $services_tcp # Allow inbound traffic for services hosted on UDP pass stateful in proto udp to $ext_addrs port $services_udp # Allow being tracerouted pass stateful in proto udp to $ext_addrs port 33434-33600 } group "internal" on $int_if { # Allow inbound traffic from LAN pass in from $localnet # All outbound traffic to LAN pass out all } group default { # Default deny, otherwise last matching rule wins block all apply "log" # Don't block loopback pass on lo0 all # Allow incoming IPv4 pings pass in family inet4 proto icmp icmp-type echo all }