host-npf.conf revision 1.9
1# $NetBSD: host-npf.conf,v 1.9 2019/04/15 22:38:48 sevan Exp $ 2# 3# Simple ruleset for a host with (i.e., not routing) two interfaces, 4# ethernet and wifi. 5# 6# DHCP (v4 and v6), SLAAC, ICMPv6, ICMP echo requests, traceroute, mDNS traffic 7# are permitted, inbound, on either interface. 8# 9# SSH to the host is allowed in via the ethernet interface. 10# blacklistd(8) is used to prevent SSH bruteforce attempts. 11# 12# No specific rules for the wifi interface. 13# 14# All traffic from the host is permitted, outbound, on either interface. 15# 16 17$wired_if = "wm0" 18$wifi_if = "iwn0" 19$wired_addrs= ifaddrs(wm0) 20$wifi_addrs = ifaddrs(iwn0) 21 22alg "icmp" 23 24procedure "log" { 25 log: npflog0 26} 27 28group "wired" on $wired_if { 29# Placeholder for blacklistd (configuration separate) to add blocked hosts 30ruleset "blacklistd" 31 32# Allow SSH on wired interface 33pass in on $wired_if proto tcp to $wired_addrs port ssh apply "log" 34 35} 36 37group "wifi" on $wifi_if { 38 39} 40 41group default { 42# Default deny, otherwise last matching rule wins 43block all apply "log" 44 45# Don't block loopback 46pass on lo0 all 47 48# Allow incoming DHCP server responses 49pass in family inet4 proto udp from any port bootps to any port bootpc 50pass in family inet6 proto udp from any to any port "dhcpv6-client" 51 52# Allow IPv6 ICMP 53pass family inet6 proto ipv6-icmp all 54 55# Allow incoming IPv4 pings 56pass in family inet4 proto icmp icmp-type echo all 57 58# Allow being tracerouted 59pass in proto udp to any port 33434-33600 60 61# Allow incoming mDNS traffic from neighbours 62pass in proto udp to any port mdns 63 64# Allow all outbound traffic 65pass stateful out all 66} 67