44 lines
1.3 KiB
Plaintext
44 lines
1.3 KiB
Plaintext
# $NetBSD: npf.boot.conf,v 1.4 2024/05/03 20:48:58 nakayama Exp $
|
|
#
|
|
# /etc/defaults/npf.boot.conf --
|
|
# initial configuration for npf(7)
|
|
#
|
|
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
|
|
# EDIT /etc/npf.boot.conf INSTEAD.
|
|
#
|
|
|
|
|
|
set bpf.jit off
|
|
|
|
group default {
|
|
# Default deny.
|
|
block all
|
|
|
|
# Don't block loopback.
|
|
pass on lo0 all
|
|
|
|
# Allow outgoing DNS.
|
|
pass stateful out to any port domain
|
|
|
|
# Allow outgoing ping request, might be used by a DHCP client to validate
|
|
# old (but valid) leases in case it needs to fall back to such a lease
|
|
# (the DHCP server can be down or not responding).
|
|
pass stateful out proto icmp icmp-type echo all
|
|
|
|
# Allow DHCP
|
|
pass out family inet4 proto udp from any port bootpc to any port bootps
|
|
pass in family inet4 proto udp from any port bootps to any port bootpc
|
|
pass out family inet6 proto udp from any port "dhcpv6-client" to any port "dhcpv6-server"
|
|
pass in family inet6 proto udp from any port "dhcpv6-server" to any port "dhcpv6-client"
|
|
|
|
# Allow IPv6 router/neighbor solicitation and advertisement.
|
|
pass out family inet6 proto ipv6-icmp icmp-type rtsol all
|
|
pass in family inet6 proto ipv6-icmp icmp-type rtadv all
|
|
pass out family inet6 proto ipv6-icmp icmp-type neighsol all
|
|
pass family inet6 proto ipv6-icmp icmp-type neighadv all
|
|
|
|
# Enable CARP, to avoid spurious failovers.
|
|
pass proto carp all
|
|
|
|
}
|