1# $NetBSD: npf.boot.conf,v 1.4 2024/05/03 20:48:58 nakayama Exp $ 2# 3# /etc/defaults/npf.boot.conf -- 4# initial configuration for npf(7) 5# 6# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE. 7# EDIT /etc/npf.boot.conf INSTEAD. 8# 9 10 11set bpf.jit off 12 13group default { 14# Default deny. 15block all 16 17# Don't block loopback. 18pass on lo0 all 19 20# Allow outgoing DNS. 21pass stateful out to any port domain 22 23# Allow outgoing ping request, might be used by a DHCP client to validate 24# old (but valid) leases in case it needs to fall back to such a lease 25# (the DHCP server can be down or not responding). 26pass stateful out proto icmp icmp-type echo all 27 28# Allow DHCP 29pass out family inet4 proto udp from any port bootpc to any port bootps 30pass in family inet4 proto udp from any port bootps to any port bootpc 31pass out family inet6 proto udp from any port "dhcpv6-client" to any port "dhcpv6-server" 32pass in family inet6 proto udp from any port "dhcpv6-server" to any port "dhcpv6-client" 33 34# Allow IPv6 router/neighbor solicitation and advertisement. 35pass out family inet6 proto ipv6-icmp icmp-type rtsol all 36pass in family inet6 proto ipv6-icmp icmp-type rtadv all 37pass out family inet6 proto ipv6-icmp icmp-type neighsol all 38pass family inet6 proto ipv6-icmp icmp-type neighadv all 39 40# Enable CARP, to avoid spurious failovers. 41pass proto carp all 42 43} 44