[src/trunk]: src/share/examples/npf the example from the man page, with a few...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/share/examples/npf the example from the man page, with a few...
From: spz <spz%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 23:36:27 +0000

details:   https://anonhg.NetBSD.org/src/rev/db780dcfe1a5
branches:  trunk
changeset: 781129:db780dcfe1a5
user:      spz <spz%NetBSD.org@localhost>
date:      Tue Aug 21 06:54:39 2012 +0000

description:
the example from the man page, with a few extra comments

diffstat:

 share/examples/npf/soho_gw-npf.conf |  60 +++++++++++++++++++++++++++++++++++++
 1 files changed, 60 insertions(+), 0 deletions(-)

diffs (64 lines):

diff -r 81e3521acbfc -r db780dcfe1a5 share/examples/npf/soho_gw-npf.conf
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Tue Aug 21 06:54:39 2012 +0000
@@ -0,0 +1,60 @@
+# $NetBSD: soho_gw-npf.conf,v 1.1 2012/08/21 06:54:39 spz Exp $
+#
+# SOHO border
+#
+# This is a natting border gateway/webserver/mailserver/nameserver
+#
+$ext_if = "wm0"
+$int_if = "wm1"
+
+table <1> type hash file "/etc/npf_blacklist"
+# for NAT
+table <2> type tree dynamic
+
+$services_tcp = { http, https, smtp, domain, 6000, 9022 }
+$services_udp = { domain, ntp, 6000 }
+$localnet = { 198.51.100.0/24 }
+
+# NAT outgoing to the address of the external interface
+# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
+map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+
+# NAT traffic arriving on port 9022 of the external interface address
+# to host 198.51.100.2 port 22
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+
+procedure "log" {
+       log: npflog0
+}
+
+procedure "rid" {
+       normalise: "random-id"
+}
+
+group (name "external", interface $ext_if) {
+       pass stateful out final from $ext_if apply "rid"
+
+       block in final from <1>
+       pass stateful in final family inet proto tcp to $ext_if port ssh \
+               apply "log"
+       pass stateful in final proto tcp to $ext_if port $services_tcp
+       pass stateful in final proto udp to $ext_if port $services_udp
+
+       # Passive FTP
+       pass stateful in final proto tcp to $ext_if port 49151-65535
+       # Traceroute
+       pass stateful in final proto udp to $ext_if port 33434-33600
+}
+
+group (name "internal", interface $int_if) {
+       block in all
+       pass in final from <2>
+       pass out final all
+}
+
+group (default) {
+       pass final on lo0 all
+       block all
+}
+

Prev by Date: [src/trunk]: src/share/examples/npf add id string, fix comments
Next by Date: [src/trunk]: src/sys/arch/xen/x86 Redo previous the correct way: Xen expects ...
Previous by Thread: [src/trunk]: src/share/examples/npf add id string, fix comments
Next by Thread: [src/trunk]: src/sys/arch/xen/x86 Redo previous the correct way: Xen expects ...
Indexes:

Home | Main Index | Thread Index | Old Index