#	$NetBSD: pf.boot.conf,v 1.4 2017/05/26 15:40:27 hauke Exp $
#
# /etc/defaults/pf.boot.conf --
#	initial configuration for pf(4)
#
# see pf.boot.conf(5) for more information.
#
# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
# EDIT /etc/pf.boot.conf INSTEAD.
#

# Default deny.
block all

# Don't block loopback.
pass on lo0

# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state

# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not responding).
pass out inet proto icmp all icmp-type echoreq keep state

# Allow IPv6 router/neighbor solicitation and advertisement.
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass in inet6 proto ipv6-icmp all icmp6-type routeradv

# Enable carp, to avoid spurious failovers.
pass proto carp