1# $NetBSD: host-npf.conf,v 1.12 2023/07/31 16:09:01 tsutsui Exp $ 2# 3# Simple ruleset for a host with (i.e., not routing) two interfaces, 4# ethernet and wifi. 5# 6# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic 7# are permitted, inbound, on either interface. 8# 9# SSH to the host is allowed in via the ethernet interface. 10# blacklistd(8) is used to prevent SSH bruteforce attempts. 11# 12# No specific rules for the wifi interface. 13# 14# All traffic from the host is permitted, outbound, on either interface. 15# 16 17$wired_if = "wm0" 18$wifi_if = "iwn0" 19$wired_addrs= ifaddrs($wired_if) 20$wifi_addrs = ifaddrs($wifi_if) 21 22alg "icmp" 23 24procedure "log" { 25 # Send log events to npflog0, see npfd(8) 26 log: npflog0 27} 28 29group "wired" on $wired_if { 30 # Placeholder for blacklistd (configuration separate) to add blocked hosts 31 ruleset "blacklistd" 32 33 # Allow SSH on wired interface and log all connection attempts 34 pass stateful in on $wired_if proto tcp to $wired_addrs port ssh apply "log" 35} 36 37group "wifi" on $wifi_if { 38 39} 40 41group default { 42 # Default deny, otherwise last matching rule wins 43 block all apply "log" 44 45 # Don't block loopback 46 pass on lo0 all 47 48 # Allow incoming DHCP server responses 49 pass in family inet4 proto udp from any port bootps to any port bootpc 50 pass in family inet6 proto udp from any to any port "dhcpv6-client" 51 52 # Allow IPv6 ICMP 53 pass family inet6 proto ipv6-icmp all 54 55 # Allow incoming IPv4 pings 56 pass in family inet4 proto icmp icmp-type echo all 57 58 # Allow being tracerouted 59 pass in proto udp to any port 33434-33600 60 61 # Allow incoming mDNS traffic from neighbours 62 pass in proto udp to any port mdns 63 64 # Allow all outbound traffic 65 pass stateful out all 66} 67