head	1.5;
access;
symbols
	netbsd-11-0-RC4:1.5
	netbsd-11-0-RC3:1.5
	netbsd-11-0-RC2:1.5
	netbsd-11-0-RC1:1.5
	perseant-exfatfs-base-20250801:1.5
	netbsd-11:1.5.0.14
	netbsd-11-base:1.5
	netbsd-10-1-RELEASE:1.5
	perseant-exfatfs-base-20240630:1.5
	perseant-exfatfs:1.5.0.12
	perseant-exfatfs-base:1.5
	netbsd-8-3-RELEASE:1.4
	netbsd-9-4-RELEASE:1.5
	netbsd-10-0-RELEASE:1.5
	netbsd-10-0-RC6:1.5
	netbsd-10-0-RC5:1.5
	netbsd-10-0-RC4:1.5
	netbsd-10-0-RC3:1.5
	netbsd-10-0-RC2:1.5
	netbsd-10-0-RC1:1.5
	netbsd-10:1.5.0.10
	netbsd-10-base:1.5
	netbsd-9-3-RELEASE:1.5
	cjep_sun2x-base1:1.5
	cjep_sun2x:1.5.0.8
	cjep_sun2x-base:1.5
	cjep_staticlib_x-base1:1.5
	netbsd-9-2-RELEASE:1.5
	cjep_staticlib_x:1.5.0.6
	cjep_staticlib_x-base:1.5
	netbsd-9-1-RELEASE:1.5
	phil-wifi-20200421:1.5
	phil-wifi-20200411:1.5
	is-mlppp:1.5.0.4
	is-mlppp-base:1.5
	phil-wifi-20200406:1.5
	netbsd-8-2-RELEASE:1.4
	netbsd-9-0-RELEASE:1.5
	netbsd-9-0-RC2:1.5
	netbsd-9-0-RC1:1.5
	phil-wifi-20191119:1.5
	netbsd-9:1.5.0.2
	netbsd-9-base:1.5
	phil-wifi-20190609:1.5
	netbsd-8-1-RELEASE:1.4
	netbsd-8-1-RC1:1.4
	pgoyette-compat-merge-20190127:1.4
	pgoyette-compat-20190127:1.4
	pgoyette-compat-20190118:1.4
	pgoyette-compat-1226:1.4
	pgoyette-compat-1126:1.4
	pgoyette-compat-1020:1.4
	pgoyette-compat-0930:1.4
	pgoyette-compat-0906:1.4
	netbsd-7-2-RELEASE:1.3
	pgoyette-compat-0728:1.4
	netbsd-8-0-RELEASE:1.4
	phil-wifi:1.4.0.10
	phil-wifi-base:1.4
	pgoyette-compat-0625:1.4
	netbsd-8-0-RC2:1.4
	pgoyette-compat-0521:1.4
	pgoyette-compat-0502:1.4
	pgoyette-compat-0422:1.4
	netbsd-8-0-RC1:1.4
	pgoyette-compat-0415:1.4
	pgoyette-compat-0407:1.4
	pgoyette-compat-0330:1.4
	pgoyette-compat-0322:1.4
	pgoyette-compat-0315:1.4
	netbsd-7-1-2-RELEASE:1.3
	pgoyette-compat:1.4.0.8
	pgoyette-compat-base:1.4
	netbsd-7-1-1-RELEASE:1.3
	matt-nb8-mediatek:1.4.0.6
	matt-nb8-mediatek-base:1.4
	perseant-stdc-iso10646:1.4.0.4
	perseant-stdc-iso10646-base:1.4
	netbsd-8:1.4.0.2
	netbsd-8-base:1.4
	prg-localcount2-base3:1.3
	prg-localcount2-base2:1.3
	prg-localcount2-base1:1.3
	prg-localcount2:1.3.0.60
	prg-localcount2-base:1.3
	pgoyette-localcount-20170426:1.3
	bouyer-socketcan-base1:1.3
	pgoyette-localcount-20170320:1.3
	netbsd-7-1:1.3.0.58
	netbsd-7-1-RELEASE:1.3
	netbsd-7-1-RC2:1.3
	netbsd-7-nhusb-base-20170116:1.3
	bouyer-socketcan:1.3.0.56
	bouyer-socketcan-base:1.3
	pgoyette-localcount-20170107:1.3
	netbsd-7-1-RC1:1.3
	pgoyette-localcount-20161104:1.3
	netbsd-7-0-2-RELEASE:1.3
	localcount-20160914:1.3
	netbsd-7-nhusb:1.3.0.54
	netbsd-7-nhusb-base:1.3
	pgoyette-localcount-20160806:1.3
	pgoyette-localcount-20160726:1.3
	pgoyette-localcount:1.3.0.52
	pgoyette-localcount-base:1.3
	netbsd-7-0-1-RELEASE:1.3
	netbsd-7-0:1.3.0.50
	netbsd-7-0-RELEASE:1.3
	netbsd-7-0-RC3:1.3
	netbsd-7-0-RC2:1.3
	netbsd-7-0-RC1:1.3
	netbsd-5-2-3-RELEASE:1.3
	netbsd-5-1-5-RELEASE:1.3
	netbsd-6-0-6-RELEASE:1.3
	netbsd-6-1-5-RELEASE:1.3
	netbsd-7:1.3.0.48
	netbsd-7-base:1.3
	yamt-pagecache-base9:1.3
	yamt-pagecache-tag8:1.3
	netbsd-6-1-4-RELEASE:1.3
	netbsd-6-0-5-RELEASE:1.3
	tls-earlyentropy:1.3.0.46
	tls-earlyentropy-base:1.3
	riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.3
	riastradh-drm2-base3:1.3
	netbsd-6-1-3-RELEASE:1.3
	netbsd-6-0-4-RELEASE:1.3
	netbsd-5-2-2-RELEASE:1.3
	netbsd-5-1-4-RELEASE:1.3
	netbsd-6-1-2-RELEASE:1.3
	netbsd-6-0-3-RELEASE:1.3
	netbsd-5-2-1-RELEASE:1.3
	netbsd-5-1-3-RELEASE:1.3
	netbsd-6-1-1-RELEASE:1.3
	riastradh-drm2-base2:1.3
	riastradh-drm2-base1:1.3
	riastradh-drm2:1.3.0.40
	riastradh-drm2-base:1.3
	netbsd-6-1:1.3.0.44
	netbsd-6-0-2-RELEASE:1.3
	netbsd-6-1-RELEASE:1.3
	netbsd-6-1-RC4:1.3
	netbsd-6-1-RC3:1.3
	agc-symver:1.3.0.42
	agc-symver-base:1.3
	netbsd-6-1-RC2:1.3
	netbsd-6-1-RC1:1.3
	yamt-pagecache-base8:1.3
	netbsd-5-2:1.3.0.38
	netbsd-6-0-1-RELEASE:1.3
	yamt-pagecache-base7:1.3
	netbsd-5-2-RELEASE:1.3
	netbsd-5-2-RC1:1.3
	matt-nb6-plus-nbase:1.3
	yamt-pagecache-base6:1.3
	netbsd-6-0:1.3.0.36
	netbsd-6-0-RELEASE:1.3
	netbsd-6-0-RC2:1.3
	tls-maxphys:1.3.0.34
	tls-maxphys-base:1.3
	matt-nb6-plus:1.3.0.32
	matt-nb6-plus-base:1.3
	netbsd-6-0-RC1:1.3
	yamt-pagecache-base5:1.3
	yamt-pagecache-base4:1.3
	netbsd-6:1.3.0.30
	netbsd-6-base:1.3
	netbsd-5-1-2-RELEASE:1.3
	netbsd-5-1-1-RELEASE:1.3
	yamt-pagecache-base3:1.3
	yamt-pagecache-base2:1.3
	yamt-pagecache:1.3.0.28
	yamt-pagecache-base:1.3
	cherry-xenmp:1.3.0.26
	cherry-xenmp-base:1.3
	bouyer-quota2-nbase:1.3
	bouyer-quota2:1.3.0.24
	bouyer-quota2-base:1.3
	matt-mips64-premerge-20101231:1.3
	matt-nb5-mips64-premerge-20101231:1.3
	matt-nb5-pq3:1.3.0.22
	matt-nb5-pq3-base:1.3
	netbsd-5-1:1.3.0.20
	netbsd-5-1-RELEASE:1.3
	netbsd-5-1-RC4:1.3
	matt-nb5-mips64-k15:1.3
	netbsd-5-1-RC3:1.3
	netbsd-5-1-RC2:1.3
	netbsd-5-1-RC1:1.3
	netbsd-5-0-2-RELEASE:1.3
	matt-nb5-mips64-premerge-20091211:1.3
	matt-premerge-20091211:1.3
	matt-nb5-mips64-u2-k2-k4-k7-k8-k9:1.3
	matt-nb4-mips64-k7-u2a-k9b:1.3
	matt-nb5-mips64-u1-k1-k5:1.3
	matt-nb5-mips64:1.3.0.18
	netbsd-5-0-1-RELEASE:1.3
	jym-xensuspend-nbase:1.3
	netbsd-5-0:1.3.0.16
	netbsd-5-0-RELEASE:1.3
	netbsd-5-0-RC4:1.3
	netbsd-5-0-RC3:1.3
	netbsd-5-0-RC2:1.3
	jym-xensuspend:1.3.0.14
	jym-xensuspend-base:1.3
	netbsd-5-0-RC1:1.3
	netbsd-5:1.3.0.12
	netbsd-5-base:1.3
	matt-mips64-base2:1.3
	matt-mips64:1.2.0.14
	mjf-devfs2:1.3.0.10
	mjf-devfs2-base:1.3
	netbsd-4-0-1-RELEASE:1.2
	wrstuden-revivesa-base-3:1.3
	wrstuden-revivesa-base-2:1.3
	wrstuden-fixsa-newbase:1.2
	wrstuden-revivesa-base-1:1.3
	yamt-pf42-base4:1.3
	yamt-pf42-base3:1.3
	hpcarm-cleanup-nbase:1.3
	yamt-pf42-baseX:1.3
	yamt-pf42-base2:1.3
	wrstuden-revivesa:1.3.0.8
	wrstuden-revivesa-base:1.3
	yamt-pf42:1.3.0.6
	yamt-pf42-base:1.3
	keiichi-mipv6-nbase:1.3
	keiichi-mipv6:1.3.0.4
	keiichi-mipv6-base:1.3
	matt-armv6-nbase:1.3
	matt-armv6-prevmlocking:1.2.10.1
	wrstuden-fixsa-base-1:1.2
	netbsd-4-0:1.2.0.12
	netbsd-4-0-RELEASE:1.2
	cube-autoconf:1.3.0.2
	cube-autoconf-base:1.3
	netbsd-4-0-RC5:1.2
	netbsd-4-0-RC4:1.2
	netbsd-4-0-RC3:1.2
	netbsd-4-0-RC2:1.2
	netbsd-4-0-RC1:1.2
	matt-armv6:1.2.0.10
	matt-armv6-base:1.3
	matt-mips64-base:1.2
	hpcarm-cleanup:1.2.0.8
	hpcarm-cleanup-base:1.3
	netbsd-3-1-1-RELEASE:1.1.2.2
	netbsd-3-0-3-RELEASE:1.1.2.2
	wrstuden-fixsa:1.2.0.6
	wrstuden-fixsa-base:1.2
	abandoned-netbsd-4-base:1.2
	abandoned-netbsd-4:1.2.0.2
	netbsd-3-1:1.1.2.2.0.4
	netbsd-3-1-RELEASE:1.1.2.2
	netbsd-3-0-2-RELEASE:1.1.2.2
	netbsd-3-1-RC4:1.1.2.2
	netbsd-3-1-RC3:1.1.2.2
	netbsd-3-1-RC2:1.1.2.2
	netbsd-3-1-RC1:1.1.2.2
	netbsd-4:1.2.0.4
	netbsd-4-base:1.2
	netbsd-3-0-1-RELEASE:1.1.2.2
	netbsd-3-0:1.1.2.2.0.2
	netbsd-3-0-RELEASE:1.1.2.2
	netbsd-3-0-RC6:1.1.2.2
	netbsd-3-0-RC5:1.1.2.2
	netbsd-3-0-RC4:1.1.2.2
	netbsd-3-0-RC3:1.1.2.2
	netbsd-3-0-RC2:1.1.2.2
	netbsd-3-0-RC1:1.1.2.2
	netbsd-3:1.1.0.2;
locks; strict;
comment	@# @;


1.5
date	2019.02.17.20.45.47;	author gutteridge;	state Exp;
branches;
next	1.4;
commitid	F9EqRyj2iWAd6acB;

1.4
date	2017.05.26.15.40.27;	author hauke;	state Exp;
branches
	1.4.10.1;
next	1.3;
commitid	EEFclGq9roUaJUSz;

1.3
date	2007.09.02.15.28.43;	author tron;	state Exp;
branches;
next	1.2;

1.2
date	2006.01.10.20.53.24;	author reed;	state Exp;
branches
	1.2.10.1;
next	1.1;

1.1
date	2005.08.23.12.12.56;	author peter;	state Exp;
branches
	1.1.2.1;
next	;

1.4.10.1
date	2019.06.10.22.10.35;	author christos;	state Exp;
branches;
next	;
commitid	jtc8rnCzWiEEHGqB;

1.2.10.1
date	2007.11.06.23.36.28;	author matt;	state Exp;
branches;
next	;

1.1.2.1
date	2005.08.23.12.12.56;	author tron;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2005.09.02.12.29.37;	author tron;	state Exp;
branches;
next	;


desc
@@


1.5
log
@pf.boot.conf: remove lingering references to dhclient(8), and while
here, capitalize acronyms. Addresses part of PR misc/53669.
@
text
@#	$NetBSD: pf.boot.conf,v 1.4 2017/05/26 15:40:27 hauke Exp $
#
# /etc/defaults/pf.boot.conf --
#	initial configuration for pf(4)
#
# see pf.boot.conf(5) for more information.
#
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
# EDIT /etc/pf.boot.conf INSTEAD.
#

# Default deny.
block all

# Don't block loopback.
pass on lo0

# Allow outgoing DNS, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state

# Allow outgoing ping request, might be used by a DHCP client to validate
# old (but valid) leases in case it needs to fall back to such a lease
# (the DHCP server can be down or not responding).
pass out inet proto icmp all icmp-type echoreq keep state

# Allow IPv6 router/neighbor solicitation and advertisement.
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv

# Enable CARP, to avoid spurious failovers.
pass proto carp
@


1.4
log
@Enable carp packets early during boot, to avoid gratuitous failovers.

Okayed by christos@@
@
text
@d1 1
a1 1
#	$NetBSD: pf.boot.conf,v 1.3 2007/09/02 15:28:43 tron Exp $
d18 1
a18 1
# Allow outgoing dns, needed by pfctl to resolve names.
d21 3
a23 3
# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not responding).
d32 1
a32 1
# Enable carp, to avoid spurious failovers.
@


1.4.10.1
log
@Sync with HEAD
@
text
@d1 1
a1 1
#	$NetBSD: pf.boot.conf,v 1.5 2019/02/17 20:45:47 gutteridge Exp $
d18 1
a18 1
# Allow outgoing DNS, needed by pfctl to resolve names.
d21 3
a23 3
# Allow outgoing ping request, might be used by a DHCP client to validate
# old (but valid) leases in case it needs to fall back to such a lease
# (the DHCP server can be down or not responding).
d32 1
a32 1
# Enable CARP, to avoid spurious failovers.
@


1.3
log
@Use "ipv6-icmp" instead of "icmp6" to allow loading these rules again.
Patch supplied by Daniel Horecki in PR bin/36874.
@
text
@d1 1
a1 1
#	$NetBSD: pf.boot.conf,v 1.2 2006/01/10 20:53:24 reed Exp $
d31 3
@


1.2
log
@Fix mispelling in a comment.
@
text
@d1 1
a1 1
#	$NetBSD: pf.boot.conf,v 1.1 2005/08/23 12:12:56 peter Exp $
d27 4
a30 4
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv
@


1.2.10.1
log
@sync with HEAD
@
text
@d1 1
a1 1
#	$NetBSD: pf.boot.conf,v 1.3 2007/09/02 15:28:43 tron Exp $
d27 4
a30 4
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
@


1.1
log
@pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.

Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.

No objections on: tech-security
@
text
@d1 1
a1 1
#	$NetBSD$
d26 1
a26 1
# Allow IPv6 router/neighbor sollicitation and advertisement.
@


1.1.2.1
log
@file pf.boot.conf was added on branch netbsd-3 on 2005-09-02 12:29:37 +0000
@
text
@d1 30
@


1.1.2.2
log
@Pull up following revision(s) (requested by peter in ticket #717):
	usr.sbin/pf/man/man5/pf.boot.conf.5: revision 1.1
	usr.sbin/postinstall/postinstall: revision 1.4
	etc/rc.d/pf: revision 1.6
	etc/rc.d/pf_boot: revision 1.1
	usr.sbin/pf/etc/defaults/pf.boot.conf: revision 1.1
	usr.sbin/pf/Makefile: revision 1.7
	etc/rc.d/Makefile: revision 1.52
	etc/mtree/special: revision 1.89
	usr.sbin/pf/man/man5/Makefile: revision 1.5
	usr.sbin/pf/etc/defaults/Makefile: revision 1.1
pf needs to be started after the network is up, because some pf rules
derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.
Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.
No objections on: tech-security
@
text
@a0 30
#	$NetBSD: pf.boot.conf,v 1.1.2.1 2005/09/02 12:29:37 tron Exp $
#
# /etc/defaults/pf.boot.conf --
#	initial configuration for pf(4)
#
# see pf.boot.conf(5) for more information.
#
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
# EDIT /etc/pf.boot.conf INSTEAD.
#

# Default deny.
block all

# Don't block loopback.
pass on lo0

# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state

# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not responding).
pass out inet proto icmp all icmp-type echoreq keep state

# Allow IPv6 router/neighbor sollicitation and advertisement.
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv
@