Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

# $NetBSD: soho_gw-npf.conf,v 1.12.2.1 2019/11/19 10:56:35 martin Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = ifaddrs(wm0)

$int_if = "wm1"

# a "naughty" step^W table to house blocked candidates in
# feed this using e.g.: npfctl table "naughty" add 203.0.113.99
table <naughty> type ipset

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 198.51.100.0/24 }

# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic $localnet -> $ext_v4

# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022

procedure "log" {
	# Send log events to npflog0, see npfd(8)
	log: npflog0
}

group "external" on $ext_if {
	# Allow all outbound traffic
	pass stateful out all

	# Block inbound traffic from those on the naughty table 
	block in from <naughty>

	# Placeholder for blacklistd (configuration separate) to add blocked hosts
	ruleset "blacklistd"

	# Allow inbound SSH and log all connection attempts
	pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
		apply "log"

	# Allow inbound traffic for services hosted on TCP
	pass stateful in proto tcp to $ext_addrs port $services_tcp

	# Allow inbound traffic for services hosted on UDP
	pass stateful in proto udp to $ext_addrs port $services_udp

	# Allow being tracerouted
	pass stateful in proto udp to $ext_addrs port 33434-33600
}

group "internal" on $int_if {
	# Allow inbound traffic from LAN
	pass in from $localnet

	# All outbound traffic to LAN
	pass out all
}

group default {
	# Default deny, otherwise last matching rule wins
	block all apply "log"

	# Don't block loopback
	pass on lo0 all

	# Allow incoming IPv4 pings
	pass in family inet4 proto icmp icmp-type echo all
}