xref: /src/share/examples/npf/host-npf.conf

# $NetBSD: host-npf.conf,v 1.12 2023/07/31 16:09:01 tsutsui Exp $
#
# Simple ruleset for a host with (i.e., not routing) two interfaces,
# ethernet and wifi.
#
# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic
# are permitted, inbound, on either interface.
#
# SSH to the host is allowed in via the ethernet interface.
# blacklistd(8) is used to prevent SSH bruteforce attempts.
#
# No specific rules for the wifi interface.
#
# All traffic from the host is permitted, outbound, on either interface.
#

$wired_if = "wm0"
$wifi_if  = "iwn0"
$wired_addrs= ifaddrs($wired_if)
$wifi_addrs = ifaddrs($wifi_if)

alg "icmp"

procedure "log" {
    # Send log events to npflog0, see npfd(8)
    log: npflog0
}

group "wired" on $wired_if {
    # Placeholder for blacklistd (configuration separate) to add blocked hosts
    ruleset "blacklistd"

    # Allow SSH on wired interface and log all connection attempts
    pass stateful in on $wired_if proto tcp to $wired_addrs port ssh apply "log"
}

group "wifi" on $wifi_if {

}

group default {
    # Default deny, otherwise last matching rule wins
    block all apply "log"

    # Don't block loopback
    pass on lo0 all

    # Allow incoming DHCP server responses
    pass in family inet4 proto udp from any port bootps to any port bootpc
    pass in family inet6 proto udp from any to any port "dhcpv6-client"

    # Allow IPv6 ICMP
    pass family inet6 proto ipv6-icmp all

    # Allow incoming IPv4 pings
    pass in family inet4 proto icmp icmp-type echo all

    # Allow being tracerouted
    pass in proto udp to any port 33434-33600

    # Allow incoming mDNS traffic from neighbours
    pass in proto udp to any port mdns

    # Allow all outbound traffic
    pass stateful out all
}