# $NetBSD: pf.boot.conf,v 1.5 2019/02/17 20:45:47 gutteridge Exp $
#
# /etc/defaults/pf.boot.conf --
# initial configuration for pf(4)
#
# see pf.boot.conf(5) for more information.
#
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
# EDIT /etc/pf.boot.conf INSTEAD.
#
# Default deny.
block all
# Don't block loopback.
pass on lo0
# Allow outgoing DNS, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state
# Allow outgoing ping request, might be used by a DHCP client to validate
# old (but valid) leases in case it needs to fall back to such a lease
# (the DHCP server can be down or not responding).
pass out inet proto icmp all icmp-type echoreq keep state
# Allow IPv6 router/neighbor solicitation and advertisement.
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
# Enable CARP, to avoid spurious failovers.
pass proto carp