# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
map $ext_if dynamic $localnet -> $ext_v4
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
procedure "log" {
# Send log events to npflog0, see npfd(8)
log: npflog0
}
group "external" on $ext_if {
# Allow all outbound traffic
pass stateful out all
# Block inbound traffic from those on the naughty table
block in from <naughty>
# Placeholder for blacklistd (configuration separate) to add blocked hosts
ruleset "blacklistd"
# Allow inbound SSH and log all connection attempts
pass stateful in family inet4 proto tcp to $ext_v4 port ssh \
apply "log"
# Allow inbound traffic for services hosted on TCP
pass stateful in proto tcp to $ext_addrs port $services_tcp
# Allow inbound traffic for services hosted on UDP
pass stateful in proto udp to $ext_addrs port $services_udp
# Allow being tracerouted
pass stateful in proto udp to $ext_addrs port 33434-33600
}
group "internal" on $int_if {
# Allow inbound traffic from LAN
pass in from $localnet
# All outbound traffic to LAN
pass out all
}
group default {
# Default deny, otherwise last matching rule wins
block all apply "log"
# Don't block loopback
pass on lo0 all
# Allow incoming IPv4 pings
pass in family inet4 proto icmp icmp-type echo all
}
