xref: /src/share/examples/npf/host-npf.conf

# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $
#
# Simple ruleset for a host with (i.e., not routing) two interfaces,
# ethernet and wifi.
#
# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic
# are permitted, inbound, on either interface.
#
# SSH to the host is allowed in via the ethernet interface.
# blacklistd(8) is used to prevent SSH bruteforce attempts.
#
# No specific rules for the wifi interface.
#
# All traffic from the host is permitted, outbound, on either interface.
#

$wired_if = "wm0"
$wifi_if  = "iwn0"
$wired_addrs= ifaddrs(wm0)
$wifi_addrs = ifaddrs(iwn0)

alg "icmp"

procedure "log" {
	log: npflog0
}

group "wired" on $wired_if {
# Placeholder for blacklistd (configuration separate) to add blocked hosts
ruleset "blacklistd"

# Allow SSH on wired interface
pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log"

}

group "wifi" on $wifi_if {

}

group default {
# Default deny, otherwise last matching rule wins
block all apply "log"

# Don't block loopback
pass on lo0 all

# Allow incoming DHCP server responses
pass in family inet4 proto udp from any port bootps to any port bootpc
pass in family inet6 proto udp from any to any port "dhcpv6-client"

# Allow IPv6 ICMP
pass family inet6 proto ipv6-icmp all

# Allow incoming IPv4 pings
pass in family inet4 proto icmp icmp-type echo all

# Allow being tracerouted
pass in proto udp to any port 33434-33600

# Allow incoming mDNS traffic from neighbours
pass in proto udp to any port mdns

# Allow all outbound traffic
pass stateful out all
}