# $NetBSD: soho_gw-npf.conf,v 1.2.4.2 2012/10/01 20:15:34 riz Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#
$ext_if = "wm0"
$int_if = "wm1"

# a table to house e.g. block candidates in
table <1> type hash file "/usr/share/examples/npf/hashtablefile"
# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
table <2> type tree dynamic

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 198.51.100.0/24 }

# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic 198.51.100.0/24 -> $ext_if

# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022

procedure "log" {
	log: npflog0
}

procedure "rid" {
	normalise: "random-id"
}

group (name "external", interface $ext_if) {
	pass stateful out final from $ext_if apply "rid"

	block in final from <1>
	pass stateful in final family inet proto tcp to $ext_if port ssh \
		apply "log"
	pass stateful in final proto tcp to $ext_if port $services_tcp
	pass stateful in final proto udp to $ext_if port $services_udp

	# Passive FTP
	pass stateful in final proto tcp to $ext_if port 49151-65535
	# Traceroute
	pass stateful in final proto udp to $ext_if port 33434-33600
}

group (name "internal", interface $int_if) {
	block in all
	pass in final from <2>
	pass out final all
}

group (default) {
	pass final on lo0 all
	block all
}