head 1.3; access; symbols netbsd-10-0-RELEASE:1.3 netbsd-10-0-RC6:1.3 netbsd-10-0-RC5:1.3 netbsd-10-0-RC4:1.3 netbsd-10-0-RC3:1.3 netbsd-10-0-RC2:1.3 netbsd-10-0-RC1:1.3 netbsd-10:1.3.0.6 netbsd-10-base:1.3 netbsd-9-3-RELEASE:1.2 cjep_sun2x-base1:1.3 cjep_sun2x:1.3.0.4 cjep_sun2x-base:1.3 cjep_staticlib_x-base1:1.3 netbsd-9-2-RELEASE:1.2 cjep_staticlib_x:1.3.0.2 cjep_staticlib_x-base:1.3 netbsd-9-1-RELEASE:1.2 phil-wifi-20200421:1.2 phil-wifi-20200411:1.2 is-mlppp:1.2.0.6 is-mlppp-base:1.2 phil-wifi-20200406:1.2 netbsd-9-0-RELEASE:1.2 netbsd-9-0-RC2:1.2 netbsd-9-0-RC1:1.2 phil-wifi-20191119:1.2 netbsd-9:1.2.0.4 netbsd-9-base:1.2 phil-wifi:1.2.0.2 phil-wifi-20190609:1.2; locks; strict; comment @# @; 1.3 date 2020.08.09.23.43.58; author gutteridge; state Exp; branches; next 1.2; commitid 9lyxgdFpGMXcLrjC; 1.2 date 2019.04.07.02.08.08; author sevan; state Exp; branches 1.2.2.1; next 1.1; commitid AkgYLxHGK1oTjmiB; 1.1 date 2019.04.02.01.50.32; author sevan; state Exp; branches; next ; commitid pY2XzoTzWMMunIhB; 1.2.2.1 date 2019.04.07.02.08.08; author christos; state dead; branches; next 1.2.2.2; commitid jtc8rnCzWiEEHGqB; 1.2.2.2 date 2019.06.10.21.42.40; author christos; state Exp; branches; next ; commitid jtc8rnCzWiEEHGqB; desc @@ 1.3 log @Fix minor typo, it's npf(7), not npf(4) @ text @# $NetBSD: npf.boot.conf,v 1.2 2019/04/07 02:08:08 sevan Exp $ # # /etc/defaults/npf.boot.conf -- # initial configuration for npf(7) # # DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE. # EDIT /etc/npf.boot.conf INSTEAD. # set bpf.jit off group default { # Default deny. block all # Don't block loopback. pass on lo0 all # Allow outgoing DNS. pass stateful out to any port domain # Allow outgoing ping request, might be used by a DHCP client to validate # old (but valid) leases in case it needs to fall back to such a lease # (the DHCP server can be down or not responding). pass stateful out proto icmp icmp-type echo all # Allow DHCP pass out family inet4 proto udp from any port bootpc to any port bootps pass in family inet4 proto udp from any port bootps to any port bootpc # Allow IPv6 router/neighbor solicitation and advertisement. pass out family inet6 proto ipv6-icmp icmp-type rtsol all pass in family inet6 proto ipv6-icmp icmp-type rtadv all pass out family inet6 proto ipv6-icmp icmp-type neighsol all pass family inet6 proto ipv6-icmp icmp-type neighadv all # Enable CARP, to avoid spurious failovers. pass proto carp all } @ 1.2 log @Allow DHCP Neighbour Advertisement should be allowed both ways, otherwise ipv6nd_sendadvertisement() from dhcpcd logs "Network is unreachable" @ text @d1 1 a1 1 # $NetBSD: npf.boot.conf,v 1.1 2019/04/02 01:50:32 sevan Exp $ d4 1 a4 1 # initial configuration for npf(4) @ 1.2.2.1 log @file npf.boot.conf was added on branch phil-wifi on 2019-06-10 21:42:40 +0000 @ text @d1 41 @ 1.2.2.2 log @Sync with HEAD @ text @a0 41 # $NetBSD: npf.boot.conf,v 1.2 2019/04/07 02:08:08 sevan Exp $ # # /etc/defaults/npf.boot.conf -- # initial configuration for npf(4) # # DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE. # EDIT /etc/npf.boot.conf INSTEAD. # set bpf.jit off group default { # Default deny. block all # Don't block loopback. pass on lo0 all # Allow outgoing DNS. pass stateful out to any port domain # Allow outgoing ping request, might be used by a DHCP client to validate # old (but valid) leases in case it needs to fall back to such a lease # (the DHCP server can be down or not responding). pass stateful out proto icmp icmp-type echo all # Allow DHCP pass out family inet4 proto udp from any port bootpc to any port bootps pass in family inet4 proto udp from any port bootps to any port bootpc # Allow IPv6 router/neighbor solicitation and advertisement. pass out family inet6 proto ipv6-icmp icmp-type rtsol all pass in family inet6 proto ipv6-icmp icmp-type rtadv all pass out family inet6 proto ipv6-icmp icmp-type neighsol all pass family inet6 proto ipv6-icmp icmp-type neighadv all # Enable CARP, to avoid spurious failovers. pass proto carp all } @ 1.1 log @Add an initial ruleset and rc script for NPF to protect host during early stage of boot, similar to what is currently available for PF. @ text @d1 1 a1 1 # $NetBSD$ d28 4 d36 1 a36 1 pass in family inet6 proto ipv6-icmp icmp-type neighadv all @