1 1.4 nakayama # $NetBSD: npf.boot.conf,v 1.4 2024/05/03 20:48:58 nakayama Exp $ 2 1.1 sevan # 3 1.1 sevan # /etc/defaults/npf.boot.conf -- 4 1.3 gutterid # initial configuration for npf(7) 5 1.1 sevan # 6 1.1 sevan # DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE. 7 1.1 sevan # EDIT /etc/npf.boot.conf INSTEAD. 8 1.1 sevan # 9 1.1 sevan 10 1.1 sevan 11 1.1 sevan set bpf.jit off 12 1.1 sevan 13 1.1 sevan group default { 14 1.1 sevan # Default deny. 15 1.1 sevan block all 16 1.1 sevan 17 1.1 sevan # Don't block loopback. 18 1.1 sevan pass on lo0 all 19 1.1 sevan 20 1.1 sevan # Allow outgoing DNS. 21 1.1 sevan pass stateful out to any port domain 22 1.1 sevan 23 1.1 sevan # Allow outgoing ping request, might be used by a DHCP client to validate 24 1.1 sevan # old (but valid) leases in case it needs to fall back to such a lease 25 1.1 sevan # (the DHCP server can be down or not responding). 26 1.1 sevan pass stateful out proto icmp icmp-type echo all 27 1.1 sevan 28 1.2 sevan # Allow DHCP 29 1.2 sevan pass out family inet4 proto udp from any port bootpc to any port bootps 30 1.2 sevan pass in family inet4 proto udp from any port bootps to any port bootpc 31 1.4 nakayama pass out family inet6 proto udp from any port "dhcpv6-client" to any port "dhcpv6-server" 32 1.4 nakayama pass in family inet6 proto udp from any port "dhcpv6-server" to any port "dhcpv6-client" 33 1.2 sevan 34 1.1 sevan # Allow IPv6 router/neighbor solicitation and advertisement. 35 1.1 sevan pass out family inet6 proto ipv6-icmp icmp-type rtsol all 36 1.1 sevan pass in family inet6 proto ipv6-icmp icmp-type rtadv all 37 1.1 sevan pass out family inet6 proto ipv6-icmp icmp-type neighsol all 38 1.2 sevan pass family inet6 proto ipv6-icmp icmp-type neighadv all 39 1.1 sevan 40 1.1 sevan # Enable CARP, to avoid spurious failovers. 41 1.1 sevan pass proto carp all 42 1.1 sevan 43 1.1 sevan } 44
Indexes created Thu Oct 02 14:10:14 GMT 2025