#	$NetBSD: npf.boot.conf,v 1.4 2024/05/03 20:48:58 nakayama Exp $
#
# /etc/defaults/npf.boot.conf --
#	initial configuration for npf(7)
#
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
# EDIT /etc/npf.boot.conf INSTEAD.
#


set bpf.jit off

group default {
# Default deny.
block all

# Don't block loopback.
pass on lo0 all

# Allow outgoing DNS.
pass stateful out to any port domain

# Allow outgoing ping request, might be used by a DHCP client to validate
# old (but valid) leases in case it needs to fall back to such a lease
# (the DHCP server can be down or not responding).
pass stateful out proto icmp icmp-type echo all

# Allow DHCP
pass out family inet4 proto udp from any port bootpc to any port bootps
pass in family inet4 proto udp from any port bootps to any port bootpc
pass out family inet6 proto udp from any port "dhcpv6-client" to any port "dhcpv6-server"
pass in family inet6 proto udp from any port "dhcpv6-server" to any port "dhcpv6-client"

# Allow IPv6 router/neighbor solicitation and advertisement.
pass out  family inet6 proto ipv6-icmp icmp-type rtsol all
pass in family inet6 proto ipv6-icmp icmp-type rtadv all
pass out  family inet6 proto ipv6-icmp icmp-type neighsol all
pass family inet6 proto ipv6-icmp icmp-type neighadv all

# Enable CARP, to avoid spurious failovers.
pass proto carp all

}